Building against openssl-1.1.1 configured with no-psk results broken .so

[fabled]

If openssl 1.1.1 is detected, the TLSv1.3 psk stuff is enabled unconditionally. However, it can be disabled via no-psk configuration.

Building against such openssl will give the following:

$ ldd /usr/lib/python3.6/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so
    ldd (0x7ff279843000)
    libssl.so.1.1 => /lib/libssl.so.1.1 (0x7ff279705000)
    libcrypto.so.1.1 => /lib/libcrypto.so.1.1 (0x7ff279488000)
    libpython3.6m.so.1.0 => /usr/lib/libpython3.6m.so.1.0 (0x7ff279202000)
    libc.musl-x86_64.so.1 => ldd (0x7ff279843000)
Error relocating /usr/lib/python3.6/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: SSL_CTX_set_psk_client_callback: symbol not found
Error relocating /usr/lib/python3.6/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: SSL_CTX_use_psk_identity_hint: symbol not found
Error relocating /usr/lib/python3.6/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: SSL_CTX_set_psk_server_callback: symbol not found

[reaperhulk]

Can you look in opensslconf and tell me what the define is for this? It's probably OPENSSL_NO_PSK but if you could confirm we can add a conditional around this.

[reaperhulk]

Are there distros considering shipping with no-psk enabled btw? We don't support the combinatorial set of all possible OpenSSL configurations as a general policy because testing all of them in CI is effectively impossible. So for a no-psk config we'd want to have a distribution that has chosen to do that before we supported it.

[fabled]

Yes, it is OPENSSL_NO_PSK. Currently Alpine Linux ships with that, but I just raised the question if we want to reconsider. See https://github.com/alpinelinux/aports/commit/abe1dc5988d12f5aca771605b109390f33ce7519#commitcomment-31279291

[neheb]

OpenWrt's build system allows disabling PSK support.

[reaperhulk]

Okay, I'm convinced we should support this config. I'll put up a PR for this soon-ish.