On 25/05/2010 13:45, Joe Orton wrote: > I'd like to drop support for versions of OpenSSL older than 1.0 in the > trunk mod_ssl. We have 200+ lines of compat macro junk and still six > different compiler warnings remain in a trunk build against 1.0.0. > > pro: simplify code: remove ssl_toolkit_compat.h and all compat macro > mess which litters the code > > pro: simplify testing: no longer have to test/worry about regressing > builds against N subtly different versions of the OpenSSL API all > > pro: can drop the internal CRL revocation code in favour of OpenSSL's > > pro: users will be "encouraged" to upgrade to a modern OpenSSL which has > secure TLS reneg > > con: trunk/2.3 won't build on all platforms/distros which ship natively > with OpenSSL < 1.0 (duh) > > con: I presume this will mean dropping support for the RSA/... toolkits, > if they even work still, which I very much doubt > > So... love/hate? >
con: means FIPS 140-2 support would be dropped too. FIPS 140-2 is not supported in 1.0.0, only 0.9.8 (well 0.9.7 too but we recommend everyone use the 1.2 module with 0.9.8 if possible). If you'd said < 0.9.8m (because 0.9.8m and later support reneg extension) I'd be very much in favour. I haven't checked but are there many remaining toolkit issues with supporting 0.9.8m and later? The CRL revocation checking in 0.9.8 is more primitive than 1.0.0 but still should be better than the broken manual stuff mod_ssl uses. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org
