Hi Kaspar, On 31.07.2011 09:38, Kaspar Brand wrote: > I'm considering cleaning up some of the cert revocation checking code in > mod_ssl, in particular ssl_callback_SSLVerify_CRL(), which currently has > the following comment: > > * OpenSSL provides the general mechanism to deal with CRLs but does not > * use them automatically when verifying certificates, so we do it > * explicitly here. We will check the CRL for the currently checked > * certificate, if there is such a CRL in the store. > > This was true in 1999 when CRL support was originally added to mod_ssl > by rse, but times have changed - CRL checking support was introduced > with OpenSSL 0.9.7, released in December 2002 > (http://cvs.openssl.org/chngview?cn=4670). > > Question: does anybody object to mod_ssl in trunk having OpenSSL 0.9.7 > as a minimum requirement? > > Some more data points: > > - the last OpenSSL 0.9.6 release (0.9.6m) is from March 2004 > > - OpenSSL 0.9.8 was released in July 2005 > > - the last OpenSSL 0.9.7 release (0.9.7m) is from February 2007 > > - OpenSSL 1.0.0 was released in March 2010 > > I.e., no one should try to compile trunk against OpenSSL 0.9.6 these > days, IMO (and even 0.9.7 isn't really a good idea, as the official > releases are no longer maintained). > > Requiring at least 0.9.7 would essentially allow to get rid of > ssl_callback_SSLVerify_CRL() completely, by switching to > X509_STORE_CTX_set_flags/X509_VERIFY_PARAM_set_flags and setting > X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL. > > On this occasion, it would probably make sense to drop support for the > RSA BSAFE SSL-C toolkit, too (last update released in April 2007). > > Thoughts? Objections?
There was a similar discussion "RFC: drop support for OpenSSL < 1.0 in trunk/2.3?" on this list in May/June 2010. Joe summed it up as: Thanks very much for all the responses. There is strong consensus for retaining support for some varieties of 0.9.8 and possibly some 0.9.7. A new RFC, then, for trunk/2.3 and beyond: - support and build warning-free with OpenSSL >= 0.9.8 - support and build with OpenSSL >= 0.9.7a, albeit with (harmless) compiler warnings about argument const-ness all over the shop - drop support for OpenSSL < 0.9.7a - drop support for non-OpenSSL/derivatives of OpenSSL (I have tried this out and it seems perfectly feasible.) Regards, Joe and this was what gained consensus. The details are at: http://marc.info/?t=127479165100003&r=1&w=2 Regards, Rainer