httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject mod_ssl in trunk with OpenSSL 0.9.7 as a minimum requirement?
Date Sun, 31 Jul 2011 07:38:05 GMT
I'm considering cleaning up some of the cert revocation checking code in
mod_ssl, in particular ssl_callback_SSLVerify_CRL(), which currently has
the following comment:

 * OpenSSL provides the general mechanism to deal with CRLs but does not
 * use them automatically when verifying certificates, so we do it
 * explicitly here. We will check the CRL for the currently checked
 * certificate, if there is such a CRL in the store.

This was true in 1999 when CRL support was originally added to mod_ssl
by rse, but times have changed - CRL checking support was introduced
with OpenSSL 0.9.7, released in December 2002
(http://cvs.openssl.org/chngview?cn=4670).

Question: does anybody object to mod_ssl in trunk having OpenSSL 0.9.7
as a minimum requirement?

Some more data points:

- the last OpenSSL 0.9.6 release (0.9.6m) is from March 2004

- OpenSSL 0.9.8 was released in July 2005

- the last OpenSSL 0.9.7 release (0.9.7m) is from February 2007

- OpenSSL 1.0.0 was released in March 2010

I.e., no one should try to compile trunk against OpenSSL 0.9.6 these
days, IMO (and even 0.9.7 isn't really a good idea, as the official
releases are no longer maintained).

Requiring at least 0.9.7 would essentially allow to get rid of
ssl_callback_SSLVerify_CRL() completely, by switching to
X509_STORE_CTX_set_flags/X509_VERIFY_PARAM_set_flags and setting
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL.

On this occasion, it would probably make sense to drop support for the
RSA BSAFE SSL-C toolkit, too (last update released in April 2007).

Thoughts? Objections?

Kaspar

Mime
View raw message