httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: svn commit: r1374640 - /httpd/httpd/branches/2.2.x/STATUS
Date Sun, 19 Aug 2012 17:37:30 GMT
On 19/08/2012 18:22, Kaspar Brand wrote:
> On 18.8.12 21:51, William A. Rowe Jr. wrote:
>>>              to drop the #ifndef around SSL_PROTOCOL_SSLV2 in ssl_private.h,
>>>              this should also make some of the other "#if[n]def OPENSSL_NO_SSL2"
>>>              encapsulations unnecessary.
>>> +              [wrowe] agreed the patch was wrong, the #ifdef needed to be moved
>>> +                      up four lines.  Behavior is now correct in patch .2
>>> +                      Disagree about retaining SSL_PROTOCOL_SSLV2; this is one
>>> +                      of the most basic design patterns which exists to ensure
>>> +                      that we don't have some lingering code which is still
>>> +                      attempting to pursue SSLV2 games, not to mention that
>>> +                      the various macros and functions in those blocks may
>>> +                      simply disappear disappear in an OPENSSL_NO_SSL2 build.
>>> +                      Bad idea, it helps us catch current and future problems.
> After a closer look at the mechanics of OPENSSL_NO_SSL2 in OpenSSL, I
> think there's a misunderstanding of how OpenSSL exposes this
> compile-time option to applications linking against libssl. OpenSSL
> itself only defines OPENSSL_NO_SSL2 in the following case (openssl/ssl.h):
>> #if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2)
>> #define OPENSSL_NO_SSL2
>> #endif
> (ssl.h is not customized by OpenSSL's Configure script, AFAICT you would
> have to call "openssl version -f" and look for any flags set at compile
> time.)
> I.e., unless mod_ssl is explicitly compiled with -DOPENSSL_NO_SSL2 (set
> through CPPFLAGS/CFLAGS), an #ifdef OPENSSL_NO_SSL2 has no effect, and
> the blocks enclosed with #ifndef OPENSSL_NO_SSL2 will get included,
> irrespective of how OpenSSL has been compiled.

The usual way is to use no-ssl2 as an argument to Configure or config which then
adds OPENSSL_NO_SSL2 into crypto/opensslconf.h

Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775

View raw message