diff --git a/README.rst b/README.rst index 1092ebbf..cc20d5a1 100644 --- a/README.rst +++ b/README.rst @@ -67,6 +67,8 @@ required: * zlib >= 1.2.3 ALPN support requires OpenSSL >= 1.0.2 (released 22 January 2015). +LibreSSL >= 2.2.0 can be used instead of OpenSSL, but OpenSSL has more +features thatn LibreSSL at the time of this writing. To enable the SPDY protocol in the application program ``nghttpx`` and ``h2load``, the following package is required: diff --git a/script/fetch-ocsp-response b/script/fetch-ocsp-response index ddeef068..1914886b 100755 --- a/script/fetch-ocsp-response +++ b/script/fetch-ocsp-response @@ -142,13 +142,13 @@ def send_and_receive_ocsp(respder_fn, cmd, cert_fn, issuer_fn, ocsp_uri, # obtain response (without verification) sys.stderr.write('sending OCSP request to {}\n'.format(ocsp_uri)) args = [ - cmd, 'ocsp', '-issuer', issuer_fn, '-cert', cert_fn, '-url', ocsp_uri + cmd, 'ocsp', '-issuer', issuer_fn, '-cert', cert_fn, '-url', ocsp_uri, + '-noverify', '-respout', respder_fn ] - if openssl_version.lower().startswith('openssl 1.'): + ver = openssl_version.lower() + if ver.startswith('openssl 1.') or ver.startswith('libressl '): args.extend(['-header', 'Host', ocsp_host]) - args.extend(['-noverify', '-respout', respder_fn]) resp = run_openssl(args, allow_tempfail=True) - return resp.decode('utf-8') @@ -188,7 +188,7 @@ def fetch_ocsp_response(cmd, cert_fn, tempdir, issuer_fn=None): 'fetch-ocsp-response (using {})\n'.format(openssl_version)) ocsp_uri = extract_ocsp_uri(cmd, cert_fn) - ocsp_host = urlparse(ocsp_uri).hostname + ocsp_host = urlparse(ocsp_uri).netloc if not issuer_fn: issuer_fn = os.path.join(tempdir, 'issuer.crt') diff --git a/src/h2load.cc b/src/h2load.cc index 76e8649f..cb91fbf4 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -292,7 +292,8 @@ const char *get_tls_protocol(SSL *ssl) { namespace { void print_server_tmp_key(SSL *ssl) { -#if OPENSSL_VERSION_NUMBER >= 0x10002000L +// libressl does not have SSL_get_server_tmp_key +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && defined(SSL_get_server_tmp_key) EVP_PKEY *key; if (!SSL_get_server_tmp_key(ssl, &key)) {