httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: RFC: drop support for OpenSSL < 1.0 in trunk/2.3?
Date Tue, 25 May 2010 13:14:49 GMT
On Tue, May 25, 2010 at 8:45 AM, Joe Orton <jorton@redhat.com> wrote:
> I'd like to drop support for versions of OpenSSL older than 1.0 in the
> trunk mod_ssl.  We have 200+ lines of compat macro junk and still six
> different compiler warnings remain in a trunk build against 1.0.0.
>
> pro: simplify code: remove ssl_toolkit_compat.h and all compat macro
> mess which litters the code
>
> pro: simplify testing: no longer have to test/worry about regressing
> builds against N subtly different versions of the OpenSSL API all
>
> pro: can drop the internal CRL revocation code in favour of OpenSSL's

sure

> pro: users will be "encouraged" to upgrade to a modern OpenSSL which has
> secure TLS reneg

OTOH, I guess that if our encouragement is successful then there would
be fewer httpd installations utilizing mostly-painless OpenSSL patches
from their OS vendor over the next few years.  That may be bad for
security overall.

> con: trunk/2.3 won't build on all platforms/distros which ship natively
> with OpenSSL < 1.0 (duh)

bad for 2.3 alpha/beta testing

> con: I presume this will mean dropping support for the RSA/... toolkits,
> if they even work still, which I very much doubt

don't care

> So... love/hate?

both

--/--

There's no ready answer to this, but I wonder:  How much of the
current conditional logic is required to support the OpenSSL in

fully patched RHEL 4
fully patched Solaris 10
(some other typical server platform that bundles OpenSSL)

Mime
View raw message