From dev-return-75903-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org Sun Aug 19 17:38:07 2012 Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B0326CD23 for ; Sun, 19 Aug 2012 17:38:07 +0000 (UTC) Received: (qmail 29329 invoked by uid 500); 19 Aug 2012 17:38:06 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 29266 invoked by uid 500); 19 Aug 2012 17:38:06 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 29258 invoked by uid 99); 19 Aug 2012 17:38:06 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 19 Aug 2012 17:38:06 +0000 X-ASF-Spam-Status: No, hits=2.7 required=5.0 tests=RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_NONE,SPF_NEUTRAL,T_HK_NAME_DR X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [195.8.89.37] (HELO claranet-outbound-smtp04.uk.clara.net) (195.8.89.37) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 19 Aug 2012 17:38:00 +0000 Received: from [82.132.139.138] (port=11049 helo=[10.137.125.46]) by relay04.mail.eu.clara.net (relay.clara.net [213.253.3.44]:10465) with esmtpa (authdaemon_plain:drh) id 1T39RQ-0000wO-FF for dev@httpd.apache.org (return-path ); Sun, 19 Aug 2012 17:37:37 +0000 Message-ID: <5031245A.5010500@opensslfoundation.com> Date: Sun, 19 Aug 2012 18:37:30 +0100 From: Dr Stephen Henson Organization: The OpenSSL Foundation User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: svn commit: r1374640 - /httpd/httpd/branches/2.2.x/STATUS References: <20120818193239.01B7D2388900@eris.apache.org> <502FF22D.9010306@rowe-clan.net> <503120BC.4020504@velox.ch> In-Reply-To: <503120BC.4020504@velox.ch> X-Enigmail-Version: 1.4.3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 19/08/2012 18:22, Kaspar Brand wrote: > On 18.8.12 21:51, William A. Rowe Jr. wrote: >>> to drop the #ifndef around SSL_PROTOCOL_SSLV2 in ssl_private.h, >>> this should also make some of the other "#if[n]def OPENSSL_NO_SSL2" >>> encapsulations unnecessary. >>> + [wrowe] agreed the patch was wrong, the #ifdef needed to be moved >>> + up four lines. Behavior is now correct in patch .2 >>> + Disagree about retaining SSL_PROTOCOL_SSLV2; this is one >>> + of the most basic design patterns which exists to ensure >>> + that we don't have some lingering code which is still >>> + attempting to pursue SSLV2 games, not to mention that >>> + the various macros and functions in those blocks may >>> + simply disappear disappear in an OPENSSL_NO_SSL2 build. >>> + Bad idea, it helps us catch current and future problems. > > After a closer look at the mechanics of OPENSSL_NO_SSL2 in OpenSSL, I > think there's a misunderstanding of how OpenSSL exposes this > compile-time option to applications linking against libssl. OpenSSL > itself only defines OPENSSL_NO_SSL2 in the following case (openssl/ssl.h): > >> #if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2) >> #define OPENSSL_NO_SSL2 >> #endif > > (ssl.h is not customized by OpenSSL's Configure script, AFAICT you would > have to call "openssl version -f" and look for any flags set at compile > time.) > > I.e., unless mod_ssl is explicitly compiled with -DOPENSSL_NO_SSL2 (set > through CPPFLAGS/CFLAGS), an #ifdef OPENSSL_NO_SSL2 has no effect, and > the blocks enclosed with #ifndef OPENSSL_NO_SSL2 will get included, > irrespective of how OpenSSL has been compiled. > The usual way is to use no-ssl2 as an argument to Configure or config which then adds OPENSSL_NO_SSL2 into crypto/opensslconf.h Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shenson@opensslfoundation.com