On 18/03/14 10:39, Steffan Karger wrote:
Hi,
On 17/03/2014 23:23, James Yonan wrote:
On 17/03/2014 14:29, Gert Doering wrote:
Right now, if I read configure.ac correct, we require 0.9.6 or later
(and check this only if pkg-config is available) - but obviously,
SSL_OP_NO_TICKET was added later on.
Fix 1: only use SSL_OP_NO_TICKET if available Fix 2: require a more
recent OpenSSL version
I would think an #ifdef should be fine.
SSL_OP_NO_TICKET was added in OpenSSL 0.9.8f / 1.0.0. The ECDH-patchset (for
2.4) already requires 0.9.8, so I would prefer to require 0.9.8f or newer for
master/2.4, but just add #ifdef's for 2.3.
I disagree. It is not safe to assume that the #ifdef is bound to a
particular version of Openssl; for example, on my Centos 6.5 box I have
openssl 1.0.1e yet the define
#define SSL_OP_NO_TICKET 0x00004000L
is NOT present in the system ssl.h file.
Don't ask me why, don't question the sanity of CentOS/RedHat, don't
assume that "openssl vX.Y.Z will have support for ...."
(RedHat also strips ECDH support from openssl due to claimed licensing
restrictions).
Let's just check for the #ifdef regardless of the version of OpenSSL.
cheers,
JJK
