Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnsdist: Load an openssl configuration file, if any, during startup #8733

Merged
merged 2 commits into from Jan 22, 2020

Conversation

rgacogne
Copy link
Member

@rgacogne rgacogne commented Jan 21, 2020

Short description

This way dnsdist will load the default OpenSSL configuration, or a custom one specified via the OPENSSL_CONF environment variable.
It allows loading an engine or configuration various options supported by OpenSSL.
This requires OpenSSL >= 1.1.0.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

This way dnsdist will load the default OpenSSL configuration, or a
custom one specified via the OPENSSL_CONF environment variable.
It allows loading an engine or configuration various options supported
by OpenSSL.
This requires OpenSSL >= 1.1.0.
pdns/dnsdistdist/libssl.cc Outdated Show resolved Hide resolved
@pieterlexis
Copy link
Contributor

@pieterlexis pieterlexis commented Jan 22, 2020

Should the #if perhaps be centralized and do a #define PDNS_OPENSSL_RECENT_ENOUGH but a better name?

@rgacogne
Copy link
Member Author

@rgacogne rgacogne commented Jan 22, 2020

Should the #if perhaps be centralized and do a #define PDNS_OPENSSL_RECENT_ENOUGH but a better name?

I don't really see what you mean by that, we have several checks referring to different versions of OpenSSL and LibreSSL, with only one of thel being used twice?

@omoerbeek
Copy link
Member

@omoerbeek omoerbeek commented Jan 22, 2020

Maybe, but not all version nummbers are the same, though I also could live with "libressl must be new enough" test.

Additionally, SSL_CTX_set_min_proto_version is available as well with libressl >= 2.7, but SSL_CTX_get0_privatekeyis not at all.

@omoerbeek
Copy link
Member

@omoerbeek omoerbeek commented Jan 22, 2020

Current version of PR compiles and links fine on OpenBSD.

@rgacogne
Copy link
Member Author

@rgacogne rgacogne commented Jan 22, 2020

Additionally, SSL_CTX_set_min_proto_version is available as well with libressl >= 2.7, but SSL_CTX_get0_privatekey is not at all.

I guess we could try to properly detect if these functions are present during configure, but it's a bit out-of-scope for this PR that I would like to be able to merge quickly.

@rgacogne rgacogne merged commit a0afc49 into PowerDNS:master Jan 22, 2020
28 checks passed
@rgacogne rgacogne deleted the ddist-openssl-init branch Jan 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants