httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: drop support for OpenSSL < 1.0 in trunk/2.3?
Date Tue, 01 Jun 2010 16:30:33 GMT
On 25.05.2010 15:09, "Plüm, Rüdiger, VF-Group" wrote:
>> -----Original Message-----
>> From: Joe Orton
>> Sent: Dienstag, 25. Mai 2010 14:46
>> To: dev@httpd.apache.org
>> Subject: RFC: drop support for OpenSSL<  1.0 in trunk/2.3?
>>
>> I'd like to drop support for versions of OpenSSL older than
>> 1.0 in the
>> trunk mod_ssl.  We have 200+ lines of compat macro junk and still six
>> different compiler warnings remain in a trunk build against 1.0.0.
>>
>> pro: simplify code: remove ssl_toolkit_compat.h and all compat macro
>> mess which litters the code
>>
>> pro: simplify testing: no longer have to test/worry about regressing
>> builds against N subtly different versions of the OpenSSL API all
>>
>> pro: can drop the internal CRL revocation code in favour of OpenSSL's
>>
>> pro: users will be "encouraged" to upgrade to a modern
>> OpenSSL which has
>> secure TLS reneg
>>
>> con: trunk/2.3 won't build on all platforms/distros which
>> ship natively
>> with OpenSSL<  1.0 (duh)
>
> While the pros sound promising this is a real strong con.
> Especially as this would mean that 2.4 would not work with OpenSSL<  1.0.
> The problem I see is that if you want to use other OS provided libraries
> like openldap they have dependencies on the OS provided OpenSSL and
> binding Apache against a different OpenSSL version as these libraries
> are bound against looks like a big problem if Apache is bound to them
> as well.
> And building a whole stack of dependencies for Apache seems to be a too
> large hurdle for me for adoption.
>
> So currently I would be -1 (vote not veto) on this.

The same for me. Supporting only 0.9.8 and newer seems to be OK w.r.t. 
to supported platforms and what they provide now or what can be expected 
from them. Deciding about a minimum 0.9.8 patch version is harder. 
Although it would be good if vendors would support secure reneg soon, I 
doubt that most users will have it on their servers in the next few 
years. Some might get a backport into the vendor supplied version, but 
not really a full 0.9.8n or higher.

So I'd be +1 for dropping support for OpenSSL < 0.9.8.

Regards,

Rainer

Mime
View raw message