> -----Original Message----- > From: Joe Orton > Sent: Dienstag, 25. Mai 2010 14:46 > To: [email protected] > Subject: RFC: drop support for OpenSSL < 1.0 in trunk/2.3? > > I'd like to drop support for versions of OpenSSL older than > 1.0 in the > trunk mod_ssl. We have 200+ lines of compat macro junk and still six > different compiler warnings remain in a trunk build against 1.0.0. > > pro: simplify code: remove ssl_toolkit_compat.h and all compat macro > mess which litters the code > > pro: simplify testing: no longer have to test/worry about regressing > builds against N subtly different versions of the OpenSSL API all > > pro: can drop the internal CRL revocation code in favour of OpenSSL's > > pro: users will be "encouraged" to upgrade to a modern > OpenSSL which has > secure TLS reneg > > con: trunk/2.3 won't build on all platforms/distros which > ship natively > with OpenSSL < 1.0 (duh)
While the pros sound promising this is a real strong con. Especially as this would mean that 2.4 would not work with OpenSSL < 1.0. The problem I see is that if you want to use other OS provided libraries like openldap they have dependencies on the OS provided OpenSSL and binding Apache against a different OpenSSL version as these libraries are bound against looks like a big problem if Apache is bound to them as well. And building a whole stack of dependencies for Apache seems to be a too large hurdle for me for adoption. So currently I would be -1 (vote not veto) on this. Regards Rüdiger
