httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57375] Support LibreSSL as an alternative toolkit for mod_ssl
Date Sun, 11 Jan 2015 11:54:55 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=57375

Kaspar Brand <asfbugz@velox.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|2.4.10                      |2.5-HEAD
            Summary|[PATCH] Unbreak 2.4 build   |Support LibreSSL as an
                   |with LibreSSL               |alternative toolkit for
                   |                            |mod_ssl
           Severity|normal                      |enhancement

--- Comment #1 from Kaspar Brand <asfbugz@velox.ch> ---
Rewording the summary to more accurately capture the topic of this bug.

I'm not really supportive of this idea, to be frank. mod_ssl is effectively
mod_openssl these days. It used to have (and in 2.2.x still does) an
ssl_toolkit_compat layer which allowed support for multiple toolkits, in
theory, but as discussed in these two threads, the consensus in 2010/2011 was
to deliberately drop support for non-OpenSSL toolkits:

https://mail-archives.apache.org/mod_mbox/httpd-dev/201005.mbox/%3C20100525124551.GA11177%40redhat.com%3E

https://mail-archives.apache.org/mod_mbox/httpd-dev/201107.mbox/%3C4E35065D.30104%40velox.ch%3E

(see r1154683 and and r1154687)

While the changes for supporting LibreSSL might seem small right now, it would
definitely mean that mod_ssl maintenance becomes [again] more complex, assuming
a scenario of LibreSSL deviating more substantially from OpenSSL in the future
(consider http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3
e.g.).

Maintaining mod_ssl compatibility with all OpenSSL versions still floating
around (0.9.7/0.9.8/1.0.0/1.0.1) is already quite burdensome, and I wouldn't
want to make things more complicated by adding another toolkit to the mix
(otherwise, next on the table would be BoringSSL, I guess). Let's draw a clear
line right now, and not silently morph mod_[open]ssl into something like
mod_{libre,boring,...}ssl.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message