Re: RFC: drop support for OpenSSL < 1.0 in trunk/2.3?

Sat, 29 May 2010 06:02:52 -0700 

Dr Stephen Henson wrote:

On 25/05/2010 13:45, Joe Orton wrote:
I'd like to drop support for versions of OpenSSL older than 1.0 in the trunk mod_ssl. We have 200+ lines of compat macro junk and still six different compiler warnings remain in a trunk build against 1.0.0. 


pro: simplify code: remove ssl_toolkit_compat.h and all compat macro 
mess which litters the code



pro: simplify testing: no longer have to test/worry about regressing 
builds against N subtly different versions of the OpenSSL API all


pro: can drop the internal CRL revocation code in favour of OpenSSL's


pro: users will be "encouraged" to upgrade to a modern OpenSSL which 
has secure TLS reneg



con: trunk/2.3 won't build on all platforms/distros which ship 
natively with OpenSSL < 1.0 (duh)



con: I presume this will mean dropping support for the RSA/... 
toolkits, if they even work still, which I very much doubt


So... love/hate?


    



con: means FIPS 140-2 support would be dropped too. FIPS 140-2 is not 
supported
in 1.0.0, only 0.9.8 (well 0.9.7 too but we recommend everyone use the 
1.2

module with 0.9.8 if possible).

  



Belated comment: FIPS 140-2 is used with Apache, both directly as open 
source and as vendor supplied binaries.  FIPS 140-2 is required in U.S. 
DoD and federal government environments (where I do much of my 
consulting work).  That requirement has been in place for years but is 
now actually being enforced.  Many users would like to upgrade but can't 
due to that requirement.



Until a new FIPS validation is available for OpenSSL 1.0.0 it would IMHO 
be a Very Bad Thing to drop support for 0.9.8.  Such a validation will 
require commercial or government sponsorship, as did the earlier 
validations, plus a long lead time.  We get occasional expressions of 
interest but nothing solid yet, but I'm confident it will happen 
eventually.  In the meantime, dropping support for 0.9.8 will force many 
government sector Apache users elsewhere.


-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877-673-6775
[email protected]























					Reply via email to