httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: drop support for OpenSSL < 1.0 in trunk/2.3?
Date Tue, 25 May 2010 13:09:23 GMT
 

> -----Original Message-----
> From: Joe Orton 
> Sent: Dienstag, 25. Mai 2010 14:46
> To: dev@httpd.apache.org
> Subject: RFC: drop support for OpenSSL < 1.0 in trunk/2.3?
> 
> I'd like to drop support for versions of OpenSSL older than 
> 1.0 in the 
> trunk mod_ssl.  We have 200+ lines of compat macro junk and still six 
> different compiler warnings remain in a trunk build against 1.0.0.
> 
> pro: simplify code: remove ssl_toolkit_compat.h and all compat macro 
> mess which litters the code
> 
> pro: simplify testing: no longer have to test/worry about regressing 
> builds against N subtly different versions of the OpenSSL API all
> 
> pro: can drop the internal CRL revocation code in favour of OpenSSL's
> 
> pro: users will be "encouraged" to upgrade to a modern 
> OpenSSL which has 
> secure TLS reneg
> 
> con: trunk/2.3 won't build on all platforms/distros which 
> ship natively 
> with OpenSSL < 1.0 (duh)

While the pros sound promising this is a real strong con.
Especially as this would mean that 2.4 would not work with OpenSSL < 1.0.
The problem I see is that if you want to use other OS provided libraries
like openldap they have dependencies on the OS provided OpenSSL and
binding Apache against a different OpenSSL version as these libraries
are bound against looks like a big problem if Apache is bound to them
as well.
And building a whole stack of dependencies for Apache seems to be a too
large hurdle for me for adoption.

So currently I would be -1 (vote not veto) on this.

Regards

Rüdiger


Mime
View raw message