Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8F95A6FF3 for ; Sun, 31 Jul 2011 07:38:49 +0000 (UTC) Received: (qmail 54955 invoked by uid 500); 31 Jul 2011 07:38:48 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 54203 invoked by uid 500); 31 Jul 2011 07:38:39 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 54188 invoked by uid 99); 31 Jul 2011 07:38:31 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 31 Jul 2011 07:38:31 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [62.75.148.60] (HELO appendix.velox.ch) (62.75.148.60) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 31 Jul 2011 07:38:25 +0000 Received: from cortex.velox.ch (77-57-164-164.dclient.hispeed.ch [77.57.164.164]) (authenticated bits=0) by appendix.velox.ch (8.14.4/8.14.4/2.1) with ESMTP id p6V7c3iQ023667 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sun, 31 Jul 2011 09:38:03 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=appendix-177f; t=1312097884; bh=RGzU337DTRlSTCu4DoIb35JM2X/WE29brY1d9qrWrXQ=; h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: Content-Transfer-Encoding; b=mVnp+ggwVRKcwJNx3zwApAsfJHACl32djZz8RQ9/hnNprjZvpivgENhqK/sxY2ZWz GHNZfQM/9reqTYDJpA1U3FlgZXvxLKT538hQpdxxSAqwMySol2nH+rhlAbeydmZHFL P68BPkr3ybZq5QPKNU8zQYdK65MGfZE/NRXawqLbsJTB5ytb9aUqKFR04/c+Z0GbKN lT+dY3YejYuGeIkecAS4D47/A0ZW3zGgQQBLWTLhtKyLefqexGQ+pPolkbZzozC8y3 UaN25Q4Pqz42CMXZXzDlGrFF7AocimN2pzV0CPZivIaPBPJCV+Qks8M3ID6gxhrRC6 mjkWw0zpZpN3Q== Message-ID: <4E35065D.30104@velox.ch> DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=cortex-8a58; t=1312097883; bh=RGzU337DTRlSTCu4DoIb35JM2X/WE29brY1d9qrWrXQ=; h=Date:From:MIME-Version:To:Subject:Content-Type: Content-Transfer-Encoding; b=j/nAYZPk01PZ8mHgR4fbpnYnP032nimvONM/DJsppUiln5r9hUokRjcqvtIqe3YIR gE6zGJuCOH0UoAdjP1+yWGCRLWFs0G+TLdvW+ICheHrvF78enSY3pQRErX8nMA6r98 tBubmV09lnF8EDvJ2HErgUsBWGbYs4E7gFQv3psBk5gGjcTf4m3fxm+zpkIT+QSB55 T0oz/1QDJIQlyIFtXxv/dLVZgz4gJK4TFWda/gJJFX3wvaAI3MEbuD41CWtGYdn4VX evy3hq1sTUSf9KueJ/lREiVzoR5yJxjP2svF+Fg/HoyCykCTsFAzRuVyhMQ+QUA3pj gcKPa2dz7DKFg== Date: Sun, 31 Jul 2011 09:38:05 +0200 From: Kaspar Brand MIME-Version: 1.0 To: dev@httpd.apache.org Subject: mod_ssl in trunk with OpenSSL 0.9.7 as a minimum requirement? Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit I'm considering cleaning up some of the cert revocation checking code in mod_ssl, in particular ssl_callback_SSLVerify_CRL(), which currently has the following comment: * OpenSSL provides the general mechanism to deal with CRLs but does not * use them automatically when verifying certificates, so we do it * explicitly here. We will check the CRL for the currently checked * certificate, if there is such a CRL in the store. This was true in 1999 when CRL support was originally added to mod_ssl by rse, but times have changed - CRL checking support was introduced with OpenSSL 0.9.7, released in December 2002 (http://cvs.openssl.org/chngview?cn=4670). Question: does anybody object to mod_ssl in trunk having OpenSSL 0.9.7 as a minimum requirement? Some more data points: - the last OpenSSL 0.9.6 release (0.9.6m) is from March 2004 - OpenSSL 0.9.8 was released in July 2005 - the last OpenSSL 0.9.7 release (0.9.7m) is from February 2007 - OpenSSL 1.0.0 was released in March 2010 I.e., no one should try to compile trunk against OpenSSL 0.9.6 these days, IMO (and even 0.9.7 isn't really a good idea, as the official releases are no longer maintained). Requiring at least 0.9.7 would essentially allow to get rid of ssl_callback_SSLVerify_CRL() completely, by switching to X509_STORE_CTX_set_flags/X509_VERIFY_PARAM_set_flags and setting X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL. On this occasion, it would probably make sense to drop support for the RSA BSAFE SSL-C toolkit, too (last update released in April 2007). Thoughts? Objections? Kaspar