httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoff Thorpe <ge...@geoffthorpe.net>
Subject Re: [PATCH] openssl configuration
Date Fri, 28 Feb 2003 15:45:45 GMT
Hi Thom,

* Thom May (thom@planetarytramp.net) wrote:
> * Geoff Thorpe (geoff@geoffthorpe.net) wrote :
> > It would perhaps make sense to provide a "--force-ssl-ver" type of
> > option that would bypass version checks, and then have any version
> > checking failure text point out the existence of "--force-ssl-ver". This
> > way, the more determined users can force configure to bypass that,
> > whilst it still provides a certain safety-net for the more naive and
> > less intrepid against accidently meddling with known-to-be-out-of-date
> > support libraries.
> 
> (un)?fortunately most vendors prefer to backport security fixes rather than
> release new versions of software into stable releases since backports are
> far less likely to interfere with already tested and correctly integrated
> software. Thus the average user is unlikely to *know* that they would need
> to force an ssl version. Less intrepid users are far more likely to be
> following vendor security updates ;-)

Well, this is an issue for the httpd developers to decide on, not me. I
put the version checks in because (a) to me (again, outside the httpd
sphere of view) it seemed logical, but more importantly (b) the existing
autoconf checks did essentially the same version checking but in a more
fragile form and for a now out-of-date threshold. I'm just as happy to
axe the version check or set up warnings in its place. My goal here is
to fix the openssl checks so that the currently-incorrect path, include,
and linker handling is corrected. Eg. if I set up my system with
non-standard PATH, INCLUDES, ld.so.conf, etc - anything following normal
autoconf practice will be fine but apache's ssl/tls handling will not.
Likewise if --with-ssl=<dir> is used with a relative path it will
succeed the configure checks but fail compilation. W.r.t the version
checks, I don't feel passionately about it one way or the other - by all
means tell me what the consensus is and I'll rejig the patch for that.

> I don't think we should have enforced version checks for this; if we do
> detect an old version I think the most we should do is to suggest that the
> user checks with their vendor that they have the most uptodate release for
> their OS; and that said release fixes the (known) security holes.

If that's what people want, that's what I'll do. Should I simply leave
in a version check equivalent to the existing one (0.9.6e) and not rock
the boat? Or should I turn the version error into a version warning?

Cheers,
Geoff

-- 
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/


Mime
View raw message