I'm considering cleaning up some of the cert revocation checking code in mod_ssl, in particular ssl_callback_SSLVerify_CRL(), which currently has the following comment:
* OpenSSL provides the general mechanism to deal with CRLs but does not * use them automatically when verifying certificates, so we do it * explicitly here. We will check the CRL for the currently checked * certificate, if there is such a CRL in the store. This was true in 1999 when CRL support was originally added to mod_ssl by rse, but times have changed - CRL checking support was introduced with OpenSSL 0.9.7, released in December 2002 (http://cvs.openssl.org/chngview?cn=4670). Question: does anybody object to mod_ssl in trunk having OpenSSL 0.9.7 as a minimum requirement? Some more data points: - the last OpenSSL 0.9.6 release (0.9.6m) is from March 2004 - OpenSSL 0.9.8 was released in July 2005 - the last OpenSSL 0.9.7 release (0.9.7m) is from February 2007 - OpenSSL 1.0.0 was released in March 2010 I.e., no one should try to compile trunk against OpenSSL 0.9.6 these days, IMO (and even 0.9.7 isn't really a good idea, as the official releases are no longer maintained). Requiring at least 0.9.7 would essentially allow to get rid of ssl_callback_SSLVerify_CRL() completely, by switching to X509_STORE_CTX_set_flags/X509_VERIFY_PARAM_set_flags and setting X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL. On this occasion, it would probably make sense to drop support for the RSA BSAFE SSL-C toolkit, too (last update released in April 2007). Thoughts? Objections? Kaspar
