Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 485FD7EE7 for ; Sun, 7 Aug 2011 10:49:57 +0000 (UTC) Received: (qmail 76274 invoked by uid 500); 7 Aug 2011 10:49:56 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 75671 invoked by uid 500); 7 Aug 2011 10:49:52 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 75663 invoked by uid 99); 7 Aug 2011 10:49:50 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 07 Aug 2011 10:49:50 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [62.75.148.60] (HELO appendix.velox.ch) (62.75.148.60) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 07 Aug 2011 10:49:43 +0000 Received: from cortex.velox.ch (77-57-164-164.dclient.hispeed.ch [77.57.164.164]) (authenticated bits=0) by appendix.velox.ch (8.14.4/8.14.4/2.1) with ESMTP id p77AnLpE007369 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sun, 7 Aug 2011 12:49:22 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=appendix-177f; t=1312714162; bh=ZNOAhsWybfWSm/UY84q2bnbvPYdl+UjRJVrcNGESFco=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=e3G8LDYovp15WlsWfkU21eiqbCpNxifKjMw42b0Zxlk6c5Ycsxy4uxDUWeunJN7gn 7om/2IkxH6mfH8Sz0HHqb/t75RtcFpXqSqxqjJw0hmyjVUPo8NLVVedmkzmUk6+Uxn 6sKgpnBLGQbbqd3ooej5PKR/9iSKsn6ElPE1GLdBsJs4DxsvRNsHEsIUdIUbqnJ/px a0mydI+fFkVouC+bmQk4HoeuYHsvvVzSR866RUtOTCDt7r0z6MV6Uzf7IhCBArVyYy fFrP+u5v0PmWiQSoqjAZINmZ1WLSeUcW6pnkYj+FmbDQSlnCVlD1/JYK1XbQJk2hK0 /Rilh5D296joQ== Message-ID: <4E3E6DB5.3050400@velox.ch> DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=cortex-8a58; t=1312714160; bh=ZNOAhsWybfWSm/UY84q2bnbvPYdl+UjRJVrcNGESFco=; h=Date:From:MIME-Version:To:Subject:References:In-Reply-To: Content-Type:Content-Transfer-Encoding; b=zDw3mmjrpOZDdwLgIJIOMG4FaB1ROZaz/qr/FC3C7t8TUFdh/NXVqAZx49jr4Oy9w t9c9d5d4bPxl00tiO7LjElY0z+t8hK9ht9dYRsfxU3Kd5HqcyhoyJPraKYFSuu9w4R sOZ1PashDU96yFCIj9Rk2yzFuXG1BLXMznqJCiD7SC45EpkcQqo+3iUS97pRCwYs1F VSrS5y4HRNbszVNQ/opRThKsfd+rWoN9ry8CfRO0/fmgpXAMGgeF8PqUpL25r6fc2m Lrg9QtgyUWmSQcsfk9uHfxMK9N42y70BoxdSYWj/Xs0RjhD2fEcTz2nCqCkmnGOMO9 YoFhHe/f4JXtw== Date: Sun, 07 Aug 2011 12:49:25 +0200 From: Kaspar Brand MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: mod_ssl in trunk with OpenSSL 0.9.7 as a minimum requirement? References: <4E35065D.30104@velox.ch> <4E3980AA.4040801@rowe-clan.net> <4E3B7F45.40609@velox.ch> <201108050957.55801.sf@sfritsch.de> <4E3C0E98.70605@rowe-clan.net> In-Reply-To: <4E3C0E98.70605@rowe-clan.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 05.08.2011 17:39, William A. Rowe Jr. wrote: > On 8/5/2011 2:57 AM, Stefan Fritsch wrote: >> On Friday 05 August 2011, Kaspar Brand wrote: >>> On 03.08.2011 19:08, William A. Rowe Jr. wrote: >>>> My thought, it probably should be a set of commits; >>>> >>>> * Drop SSLC (first patch) >>>> * Drop OpenSSL < 0.9.7 (second patch) >>>> * Drop ssl_toolkit_compat wrapper (third patch) >>>> * Warn on 0.9.7 and some 0.9.8 flavors (last patch) >>> >>> Ok, I'll try splitting it into more digestible pieces. Do you >>> suggest committing them at the same time then, or possibly wait a >>> few days in between (in case someone wants to build from the >>> interim versions)? >> >> I don't think waiting is necessary. People can always check out an >> interim revision if they want. > > Precisely. This just makes it easier to follow the activity through > svn history. Committed as r1154683 (drop SSL-C support), r1154687 (remove ssl_toolkit_compat layer), and r1154688 (require OpenSSL 0.9.7). Right now, configure no longer warns about specific older OpenSSL versions - it just checks for OPENSSL_VERSION_NUMBER >= 0x0090700f. Keeping track of vulnerable versions would possibly require frequent updates to acinclude.m4 (also in 2.2.x, of course), and second, I'm not sure how many people really have a close look at the configure output. NetWare folks: please note that I didn't touch modules/ssl/NWGNUmakefile so far - i.e. it still allows building with the "Novell NTLS SDK" (in theory, at least). As I'm neither familiar with the NetWare platform nor do I have a test environment, I'd appreciate if the experts could have a look - and patch, if needed. Thanks! Kaspar