On 10/28/2009 04:40 PM, Guenter Knauf wrote: > Dr Stephen Henson schrieb: >> Guenter Knauf wrote: >>> Well, I guess its possible to do that - but isnt it possible to depend >>> on a OpenSSL version number here? >>> >> How far do we have to go back here? OCSP support has been in OpenSSL since >> version 0.9.7 release 19 Feb 2003. > we have: > > +#if OPENSSL_VERSION_NUMBER >= 0x00908080 && defined(HAVE_OCSP) \ > + && !defined(OPENSSL_NO_TLSEXT) > #define HAVE_OCSP_STAPLING > #endif > > so we only support HAVE_OCSP_STAPLING with OpenSSL >= 0x00908080, and it > seems that we dont need to include openssl/ocsp.h if we dont set > HAVE_OCSP_STAPLING, so lets just move the above check up, and modify to: > > #if (OPENSSL_VERSION_NUMBER >= 0x00908080) \ > && !defined(OPENSSL_NO_TLSEXT) > #define HAVE_OCSP_STAPLING > #include <openssl/ocsp.h> > #endif > > and no further need for a HAVE_OCSP define on any platform ... > > comments?
We do not need it only for OCSP stapling but also for "normal" OCSP support. See ssl_util_ocsp.c So HAVE_OCSP IMHO still makes sense. Or we need to rely everywhere entirely on the OPENSSL_VERSION_NUMBER macro for deciding whether we have OCSP / OCSP stapling support. Regards RĂ¼diger
