On 19/08/2012 18:22, Kaspar Brand wrote:
> On 18.8.12 21:51, William A. Rowe Jr. wrote:
>>> to drop the #ifndef around SSL_PROTOCOL_SSLV2 in ssl_private.h,
>>> this should also make some of the other "#if[n]def OPENSSL_NO_SSL2"
>>> encapsulations unnecessary.
>>> + [wrowe] agreed the patch was wrong, the #ifdef needed to be moved
>>> + up four lines. Behavior is now correct in patch .2
>>> + Disagree about retaining SSL_PROTOCOL_SSLV2; this is one
>>> + of the most basic design patterns which exists to ensure
>>> + that we don't have some lingering code which is still
>>> + attempting to pursue SSLV2 games, not to mention that
>>> + the various macros and functions in those blocks may
>>> + simply disappear disappear in an OPENSSL_NO_SSL2 build.
>>> + Bad idea, it helps us catch current and future problems.
>
> After a closer look at the mechanics of OPENSSL_NO_SSL2 in OpenSSL, I
> think there's a misunderstanding of how OpenSSL exposes this
> compile-time option to applications linking against libssl. OpenSSL
> itself only defines OPENSSL_NO_SSL2 in the following case (openssl/ssl.h):
>
>> #if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2)
>> #define OPENSSL_NO_SSL2
>> #endif
>
> (ssl.h is not customized by OpenSSL's Configure script, AFAICT you would
> have to call "openssl version -f" and look for any flags set at compile
> time.)
>
> I.e., unless mod_ssl is explicitly compiled with -DOPENSSL_NO_SSL2 (set
> through CPPFLAGS/CFLAGS), an #ifdef OPENSSL_NO_SSL2 has no effect, and
> the blocks enclosed with #ifndef OPENSSL_NO_SSL2 will get included,
> irrespective of how OpenSSL has been compiled.
>
The usual way is to use no-ssl2 as an argument to Configure or config which then
adds OPENSSL_NO_SSL2 into crypto/opensslconf.h
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com
|