Merge branch 'libressl'

README.rst

@@ -67,6 +67,8 @@ required:
 * zlib >= 1.2.3
 
 ALPN support requires OpenSSL >= 1.0.2 (released 22 January 2015).
+LibreSSL >= 2.2.0 can be used instead of OpenSSL, but OpenSSL has more
+features thatn LibreSSL at the time of this writing.
 
 To enable the SPDY protocol in the application program ``nghttpx`` and
 ``h2load``, the following package is required:

script/fetch-ocsp-response

@@ -142,13 +142,13 @@ def send_and_receive_ocsp(respder_fn, cmd, cert_fn, issuer_fn, ocsp_uri,
     # obtain response (without verification)
     sys.stderr.write('sending OCSP request to {}\n'.format(ocsp_uri))
     args = [
-        cmd, 'ocsp', '-issuer', issuer_fn, '-cert', cert_fn, '-url', ocsp_uri
+        cmd, 'ocsp', '-issuer', issuer_fn, '-cert', cert_fn, '-url', ocsp_uri,
+        '-noverify', '-respout', respder_fn
     ]
-    if openssl_version.lower().startswith('openssl 1.'):
+    ver = openssl_version.lower()
+    if ver.startswith('openssl 1.') or ver.startswith('libressl '):
         args.extend(['-header', 'Host', ocsp_host])
-    args.extend(['-noverify', '-respout', respder_fn])
     resp = run_openssl(args, allow_tempfail=True)
-
     return resp.decode('utf-8')
 
 
@@ -188,7 +188,7 @@ def fetch_ocsp_response(cmd, cert_fn, tempdir, issuer_fn=None):
         'fetch-ocsp-response (using {})\n'.format(openssl_version))
 
     ocsp_uri = extract_ocsp_uri(cmd, cert_fn)
-    ocsp_host = urlparse(ocsp_uri).hostname
+    ocsp_host = urlparse(ocsp_uri).netloc
 
     if not issuer_fn:
         issuer_fn = os.path.join(tempdir, 'issuer.crt')

src/h2load.cc

@@ -292,7 +292,8 @@ const char *get_tls_protocol(SSL *ssl) {
 
 namespace {
 void print_server_tmp_key(SSL *ssl) {
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+// libressl does not have SSL_get_server_tmp_key
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && defined(SSL_get_server_tmp_key)
   EVP_PKEY *key;
 
   if (!SSL_get_server_tmp_key(ssl, &key)) {