httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: svn commit: r829619 - in /httpd/httpd/trunk: ./ modules/ssl/
Date Wed, 28 Oct 2009 16:38:06 GMT


On 10/28/2009 04:40 PM, Guenter Knauf wrote:
> Dr Stephen Henson schrieb:
>> Guenter Knauf wrote:
>>> Well, I guess its possible to do that - but isnt it possible to depend
>>> on a OpenSSL version number here?
>>>
>> How far do we have to go back here? OCSP support has been in OpenSSL since
>> version 0.9.7 release 19 Feb 2003.
> we have:
> 
> +#if OPENSSL_VERSION_NUMBER >= 0x00908080 && defined(HAVE_OCSP) \
> +    && !defined(OPENSSL_NO_TLSEXT)
>  #define HAVE_OCSP_STAPLING
>  #endif
> 
> so we only support HAVE_OCSP_STAPLING with OpenSSL >= 0x00908080, and it
> seems that we dont need to include openssl/ocsp.h if we dont set
> HAVE_OCSP_STAPLING, so lets just move the above check up, and modify to:
> 
> #if (OPENSSL_VERSION_NUMBER >= 0x00908080) \
>      && !defined(OPENSSL_NO_TLSEXT)
> #define HAVE_OCSP_STAPLING
> #include <openssl/ocsp.h>
> #endif
> 
> and no further need for a HAVE_OCSP define on any platform ...
> 
> comments?

We do not need it only for OCSP stapling but also for "normal" OCSP support.
See ssl_util_ocsp.c
So HAVE_OCSP IMHO still makes sense. Or we need to rely everywhere entirely
on the OPENSSL_VERSION_NUMBER macro for deciding whether we have OCSP /  OCSP stapling support.

Regards

RĂ¼diger

Mime
View raw message