On 25.05.2010 15:09, "Plüm, Rüdiger, VF-Group" wrote:
-----Original Message-----
From: Joe Orton
Sent: Dienstag, 25. Mai 2010 14:46
To: [email protected]
Subject: RFC: drop support for OpenSSL< 1.0 in trunk/2.3?
I'd like to drop support for versions of OpenSSL older than
1.0 in the
trunk mod_ssl. We have 200+ lines of compat macro junk and still six
different compiler warnings remain in a trunk build against 1.0.0.
pro: simplify code: remove ssl_toolkit_compat.h and all compat macro
mess which litters the code
pro: simplify testing: no longer have to test/worry about regressing
builds against N subtly different versions of the OpenSSL API all
pro: can drop the internal CRL revocation code in favour of OpenSSL's
pro: users will be "encouraged" to upgrade to a modern
OpenSSL which has
secure TLS reneg
con: trunk/2.3 won't build on all platforms/distros which
ship natively
with OpenSSL< 1.0 (duh)
While the pros sound promising this is a real strong con.
Especially as this would mean that 2.4 would not work with OpenSSL< 1.0.
The problem I see is that if you want to use other OS provided libraries
like openldap they have dependencies on the OS provided OpenSSL and
binding Apache against a different OpenSSL version as these libraries
are bound against looks like a big problem if Apache is bound to them
as well.
And building a whole stack of dependencies for Apache seems to be a too
large hurdle for me for adoption.
So currently I would be -1 (vote not veto) on this.
The same for me. Supporting only 0.9.8 and newer seems to be OK w.r.t.
to supported platforms and what they provide now or what can be expected
from them. Deciding about a minimum 0.9.8 patch version is harder.
Although it would be good if vendors would support secure reneg soon, I
doubt that most users will have it on their servers in the next few
years. Some might get a backport into the vendor supplied version, but
not really a full 0.9.8n or higher.
So I'd be +1 for dropping support for OpenSSL < 0.9.8.
Regards,
Rainer
