From 69119f47c4bf7550a68c1a3d894490f0d0a481f3 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Wed, 17 Jun 2015 18:24:14 +0900 Subject: [PATCH 1/3] src: Support compile with LibreSSL --- src/h2load.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/h2load.cc b/src/h2load.cc index 76e8649f..cb91fbf4 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -292,7 +292,8 @@ const char *get_tls_protocol(SSL *ssl) { namespace { void print_server_tmp_key(SSL *ssl) { -#if OPENSSL_VERSION_NUMBER >= 0x10002000L +// libressl does not have SSL_get_server_tmp_key +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && defined(SSL_get_server_tmp_key) EVP_PKEY *key; if (!SSL_get_server_tmp_key(ssl, &key)) { From 07f763be49783fce9e86e02ffda4578e85f23641 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Wed, 17 Jun 2015 18:24:57 +0900 Subject: [PATCH 2/3] fetch-ocsp-response: Support LibreSSL, and include port in ocsp_host --- script/fetch-ocsp-response | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/script/fetch-ocsp-response b/script/fetch-ocsp-response index ddeef068..1914886b 100755 --- a/script/fetch-ocsp-response +++ b/script/fetch-ocsp-response @@ -142,13 +142,13 @@ def send_and_receive_ocsp(respder_fn, cmd, cert_fn, issuer_fn, ocsp_uri, # obtain response (without verification) sys.stderr.write('sending OCSP request to {}\n'.format(ocsp_uri)) args = [ - cmd, 'ocsp', '-issuer', issuer_fn, '-cert', cert_fn, '-url', ocsp_uri + cmd, 'ocsp', '-issuer', issuer_fn, '-cert', cert_fn, '-url', ocsp_uri, + '-noverify', '-respout', respder_fn ] - if openssl_version.lower().startswith('openssl 1.'): + ver = openssl_version.lower() + if ver.startswith('openssl 1.') or ver.startswith('libressl '): args.extend(['-header', 'Host', ocsp_host]) - args.extend(['-noverify', '-respout', respder_fn]) resp = run_openssl(args, allow_tempfail=True) - return resp.decode('utf-8') @@ -188,7 +188,7 @@ def fetch_ocsp_response(cmd, cert_fn, tempdir, issuer_fn=None): 'fetch-ocsp-response (using {})\n'.format(openssl_version)) ocsp_uri = extract_ocsp_uri(cmd, cert_fn) - ocsp_host = urlparse(ocsp_uri).hostname + ocsp_host = urlparse(ocsp_uri).netloc if not issuer_fn: issuer_fn = os.path.join(tempdir, 'issuer.crt') From 17ec30e45c6d7e843471b1cdb78e242f4e247f72 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Wed, 17 Jun 2015 18:27:27 +0900 Subject: [PATCH 3/3] Mention LibreSSL in README.rst --- README.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.rst b/README.rst index 1092ebbf..cc20d5a1 100644 --- a/README.rst +++ b/README.rst @@ -67,6 +67,8 @@ required: * zlib >= 1.2.3 ALPN support requires OpenSSL >= 1.0.2 (released 22 January 2015). +LibreSSL >= 2.2.0 can be used instead of OpenSSL, but OpenSSL has more +features thatn LibreSSL at the time of this writing. To enable the SPDY protocol in the application program ``nghttpx`` and ``h2load``, the following package is required: