httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Marquess <marqu...@opensslfoundation.com>
Subject Re: RFC: drop support for OpenSSL < 1.0 in trunk/2.3?
Date Sat, 29 May 2010 13:02:16 GMT
Dr Stephen Henson wrote:
> On 25/05/2010 13:45, Joe Orton wrote:
>  
>> I'd like to drop support for versions of OpenSSL older than 1.0 in 
>> the trunk mod_ssl.  We have 200+ lines of compat macro junk and still 
>> six different compiler warnings remain in a trunk build against 1.0.0.
>>
>> pro: simplify code: remove ssl_toolkit_compat.h and all compat macro 
>> mess which litters the code
>>
>> pro: simplify testing: no longer have to test/worry about regressing 
>> builds against N subtly different versions of the OpenSSL API all
>>
>> pro: can drop the internal CRL revocation code in favour of OpenSSL's
>>
>> pro: users will be "encouraged" to upgrade to a modern OpenSSL which 
>> has secure TLS reneg
>>
>> con: trunk/2.3 won't build on all platforms/distros which ship 
>> natively with OpenSSL < 1.0 (duh)
>>
>> con: I presume this will mean dropping support for the RSA/... 
>> toolkits, if they even work still, which I very much doubt
>>
>> So... love/hate?
>>
>>     
>
> con: means FIPS 140-2 support would be dropped too. FIPS 140-2 is not 
> supported
> in 1.0.0, only 0.9.8 (well 0.9.7 too but we recommend everyone use the 
> 1.2
> module with 0.9.8 if possible).
>   

Belated comment: FIPS 140-2 is used with Apache, both directly as open 
source and as vendor supplied binaries.  FIPS 140-2 is required in U.S. 
DoD and federal government environments (where I do much of my 
consulting work).  That requirement has been in place for years but is 
now actually being enforced.  Many users would like to upgrade but can't 
due to that requirement.

Until a new FIPS validation is available for OpenSSL 1.0.0 it would IMHO 
be a Very Bad Thing to drop support for 0.9.8.  Such a validation will 
require commercial or government sponsorship, as did the earlier 
validations, plus a long lead time.  We get occasional expressions of 
interest but nothing solid yet, but I'm confident it will happen 
eventually.  In the meantime, dropping support for 0.9.8 will force many 
government sector Apache users elsewhere.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877-673-6775
marquess@opensslfoundation.com


Mime
View raw message