httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@opensslfoundation.com>
Subject Re: mod_ssl in trunk with OpenSSL 0.9.7 as a minimum requirement?
Date Wed, 03 Aug 2011 17:29:20 GMT
On 03/08/2011 18:08, William A. Rowe Jr. wrote:
> On 8/3/2011 11:23 AM, Kaspar Brand wrote:
>> Ok, so the initial version of that patch became relatively large:
>>
>>   https://people.apache.org/~kbrand/mod_ssl-toolkit-support.v1.diff
>>
>> Even though trunk is CTR, I'm somewhat reluctant with simply going ahead
>> and would appreciate if people could comment on this approach (e.g. if
>> it's fine or splitting up would be preferred, etc.).
>>
>> In theory, the changes could be limited to the autoconf stuff - i.e.,
>> guard against OpenSSL < 0.9.7 and not detect BSAFE SSL-C any longer in
>> configure, and leave the mod_ssl code as is, mostly.
>>
>> I don't think that's what we want, however, so I tried to get rid of as
>> much of the macro cruft as possible (drop ssl_toolkit_compat.h, remove
>> obsolete ifdef'ed code and so on).
> 
> My thought, it probably should be a set of commits;
> 
>  * Drop SSLC (first patch)
>  * Drop OpenSSL < 0.9.7 (second patch)
>  * Drop ssl_toolkit_compat wrapper (third patch)
>  * Warn on 0.9.7 and some 0.9.8 flavors (last patch)
> 
> 

A data point for this effort which may be of interest...

In OpenSSL 1.0.1 (unreleased) and later there is a feature to make all SSL
related structures opaque and only allow them to be accessed through functions.
This is enabled by setting OPENSSL_NO_SSL_INTERN before including any OpenSSL
headers.

The advantage of this is that any application which can be compiled with this
option will retain binary compatibility through any changes to SSL internal
structures.

I haven't had time to try getting mod_ssl to work with this option. It is
guaranteed to fail without some modification. There may well be some
functionality missing in OpenSSL too.

Ironically to support this you'd need to avoid some of the changes in this
patch. For example:

-        l = strlen(SSL_CIPHER_get_name(c));
-        memcpy(cp, SSL_CIPHER_get_name(c), l);
+        l = strlen(c->name);
+        memcpy(cp, c->name, l);

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com

Mime
View raw message