Is there any important system where requiring PolarSSL >= 1.2.3 is not an option, besides "admin is too lazy or can't convince his manager that he needs to upgrade"?
This #ifdef stuff makes the whole story a bit inconcise. It might be suitable for 2.3.X, but not to base 2.4 or newer releases on. Barring that, I'd suggest to add stuff to fail the build with older PolarSSL versions and kill the PolarSSL < 1.2.3 code. It would seem from the changelogs that PolarSSL 1.2.N (with N highest available) does away with certain design issues in earlier versions, so there is a compelling reason to upgrade. (I was irritated anyways that the newest released OpenVPN version would not work with the newest stable PolarSSL version, and am foregoing the PolarSSL option on the FreeBSD port - we do have an up-to-date PolarSSL, so it wouldn't build.)