On 19/08/2012 18:22, Kaspar Brand wrote: > On 18.8.12 21:51, William A. Rowe Jr. wrote: >>> to drop the #ifndef around SSL_PROTOCOL_SSLV2 in ssl_private.h, >>> this should also make some of the other "#if[n]def >>> OPENSSL_NO_SSL2" >>> encapsulations unnecessary. >>> + [wrowe] agreed the patch was wrong, the #ifdef needed to be >>> moved >>> + up four lines. Behavior is now correct in patch .2 >>> + Disagree about retaining SSL_PROTOCOL_SSLV2; this is >>> one >>> + of the most basic design patterns which exists to >>> ensure >>> + that we don't have some lingering code which is still >>> + attempting to pursue SSLV2 games, not to mention that >>> + the various macros and functions in those blocks may >>> + simply disappear disappear in an OPENSSL_NO_SSL2 >>> build. >>> + Bad idea, it helps us catch current and future >>> problems. > > After a closer look at the mechanics of OPENSSL_NO_SSL2 in OpenSSL, I > think there's a misunderstanding of how OpenSSL exposes this > compile-time option to applications linking against libssl. OpenSSL > itself only defines OPENSSL_NO_SSL2 in the following case (openssl/ssl.h): > >> #if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && >> !defined(OPENSSL_NO_SSL2) >> #define OPENSSL_NO_SSL2 >> #endif > > (ssl.h is not customized by OpenSSL's Configure script, AFAICT you would > have to call "openssl version -f" and look for any flags set at compile > time.) > > I.e., unless mod_ssl is explicitly compiled with -DOPENSSL_NO_SSL2 (set > through CPPFLAGS/CFLAGS), an #ifdef OPENSSL_NO_SSL2 has no effect, and > the blocks enclosed with #ifndef OPENSSL_NO_SSL2 will get included, > irrespective of how OpenSSL has been compiled. >
The usual way is to use no-ssl2 as an argument to Configure or config which then adds OPENSSL_NO_SSL2 into crypto/opensslconf.h Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
