On Mon, Mar 23, 2020 at 6:11 PM Ruediger Pluem <rpl...@apache.org> wrote: > > On 3/23/20 2:48 PM, Ruediger Pluem wrote: > > > > > > On 3/23/20 2:44 PM, Rainer Jung wrote: > >> The dependency on SSL_CTX_get_min_proto_version() and > >> SSL_CTX_get_max_proto_version() was introduced in October by Yann's > >> "r1868645 mod_ssl: negotiate the TLS protocol version per name based vhost > >> configuration". > >> > >> Although the set variants are available in 1.1.0, the set were added later > >> in 1.1.0g. > >> > >> Not sure, whether adjusting the version check as done now is the right > >> fix. At least it unbreaks building httpd against OpenSSL > >> 1.1.0-1.1.0f. > >> > >> The original change has been backported to 2.4.x, so building that for the > >> above OpenSSL versions is currently broken. > > > > IMHO we should backport it then once clarified that this is the correct > > thing to do and ensure that it gets in 2.4.43. > > I think this is a release blocker.
+1 > > Question is if we should increase the Openssl version number to the same > level for the #if around > ssl_callback_ClientHello and the respective callback registering code. I think we should be good with Rainer's patch, ssl_callback_ClientHello() depends on OpenSSL >= 1.1.1 already. Regards, Yann.