httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <>
Subject Re: svn commit: r1374640 - /httpd/httpd/branches/2.2.x/STATUS
Date Sat, 18 Aug 2012 19:51:09 GMT
On 8/18/2012 2:32 PM, wrote:
> --- httpd/httpd/branches/2.2.x/STATUS (original)
> +++ httpd/httpd/branches/2.2.x/STATUS Sat Aug 18 19:32:38 2012
>      Backport version for 2.2.x of the patches above:
> -
> +
>      +1: wrowe, 
>      kbrand: The #define HAVE_TLSV1_X stuff should go to ssl_toolkit_compat.h,
>                [wrowe] disagree, since that API was deprecated 
>              to drop the #ifndef around SSL_PROTOCOL_SSLV2 in ssl_private.h,
>              this should also make some of the other "#if[n]def OPENSSL_NO_SSL2"
>              encapsulations unnecessary.
> +              [wrowe] agreed the patch was wrong, the #ifdef needed to be moved
> +                      up four lines.  Behavior is now correct in patch .2
> +                      Disagree about retaining SSL_PROTOCOL_SSLV2; this is one
> +                      of the most basic design patterns which exists to ensure
> +                      that we don't have some lingering code which is still
> +                      attempting to pursue SSLV2 games, not to mention that
> +                      the various macros and functions in those blocks may
> +                      simply disappear disappear in an OPENSSL_NO_SSL2 build.
> +                      Bad idea, it helps us catch current and future problems.

Thanks for the feedback, Kaspar.  Other than shifting the one #ifdef case to the
correct line of code, I believe the patch is complete, I've tried to state my case
for no further changes.  If you would like to propose further changes, I'd really
prefer we defer these to 2.2.24-dev so we can T&R already.  I'm pretty sure you
already agree with me that the flexibility to disable a particular cipher in light
of exploit research in the very fresh openssl code base makes this patch pretty
critical to release for legacy, as well as stable.

Even if you can give the patch your +1, we still need one more individual to chime
in before we can finish this backport, and as I mention, OpenSSL's CVE-2012-2333
suggests that this patch is a showstopper.  Can one more person take a pass through
the code, since Stefan didn't have a chance to re-review this week?

View raw message