haproxy icon indicating copy to clipboard operation
haproxy copied to clipboard
verified publisher icon haproxy

SSL_load_error_strings is not defined when DEFINE="-DOPENSSL_API_COMPAT=0x10100000L -DOPENSSL_NO_DEPRECATED" is set

Open chipitsine opened this issue 3 years ago • 5 comments

Tool Name and Version

gcc

Code Report

https://github.com/haproxy/haproxy/runs/7663274388?check_suite_focus=true#step:4:53


  CC      src/cache.o
  CC      src/stconn.o
src/haproxy.c: In function ‘init’:
src/haproxy.c:2235:2: error: implicit declaration of function ‘SSL_load_error_strings’; did you mean ‘ERR_lib_error_string’? [-Werror=implicit-function-declaration]
 2235 |  SSL_load_error_strings();
      |  ^~~~~~~~~~~~~~~~~~~~~~
      |  ERR_lib_error_string
compilation terminated due to -Wfatal-errors.
cc1: all warnings being treated as errors



### Additional Information

_No response_

### Output of `haproxy -vv`

```plain
no

chipitsine avatar Aug 04 '22 04:08 chipitsine

Indeed, according to the man page, this function is part of a deprecated API and is reserved for < 1.1.0. Let's wait for more knowledgeable devs to have a look at this.

wtarreau avatar Aug 07 '22 15:08 wtarreau

erg, too bad. I'll try with OPENSSL_init_crypto() for recent versions but that does not do the same thing.

wlallemand avatar Aug 16 '22 09:08 wlallemand

According to OPENSSL_init_crypto's manpage (https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html), it is rarely required to call this function explicitely since it is already done during OpenSSL's start up. The only time when this function needs to be called in when some specific init settings are set. In our case, we wanted to load the library's error strings, which is already done by default. The attached patch should then be enough. 0001-BUG-MINOR-ssl-SSL_load_error_strings-might-not-be-de.txt

rlebreton avatar Sep 15 '22 15:09 rlebreton

I don't think this is right, I added it explicitely in 3b8bafd4a74519c914e47845ec11700202475f2a because ERR_reason_error_string() was returning NULL values. The only place which uses it for now is the parsing of ca-file which was modified in 0f17ab2fdd83ff4f58151a44a8fe1bc22e5b9c18. I'll need to check this again.

wlallemand avatar Sep 15 '22 15:09 wlallemand

My bad I did not realize it was added lately since it's an old function. I assumed that since the reg-tests were ok with all the versions I tested then it was good. I'll leave it to you then.

rlebreton avatar Sep 16 '22 07:09 rlebreton

You seem to be right, I could not reproduce the problem I had, I must have mistaken. Applying the patch, I marked it to be backported only in 2.6, thank you.

wlallemand avatar Nov 16 '22 10:11 wlallemand

No backport needed at all, it's a mistake.

wlallemand avatar Nov 18 '22 10:11 wlallemand