On Tue, May 25, 2010 at 8:45 AM, Joe Orton <jor...@redhat.com> wrote: > I'd like to drop support for versions of OpenSSL older than 1.0 in the > trunk mod_ssl. We have 200+ lines of compat macro junk and still six > different compiler warnings remain in a trunk build against 1.0.0. > > pro: simplify code: remove ssl_toolkit_compat.h and all compat macro > mess which litters the code > > pro: simplify testing: no longer have to test/worry about regressing > builds against N subtly different versions of the OpenSSL API all > > pro: can drop the internal CRL revocation code in favour of OpenSSL's
sure > pro: users will be "encouraged" to upgrade to a modern OpenSSL which has > secure TLS reneg OTOH, I guess that if our encouragement is successful then there would be fewer httpd installations utilizing mostly-painless OpenSSL patches from their OS vendor over the next few years. That may be bad for security overall. > con: trunk/2.3 won't build on all platforms/distros which ship natively > with OpenSSL < 1.0 (duh) bad for 2.3 alpha/beta testing > con: I presume this will mean dropping support for the RSA/... toolkits, > if they even work still, which I very much doubt don't care > So... love/hate? both --/-- There's no ready answer to this, but I wonder: How much of the current conditional logic is required to support the OpenSSL in fully patched RHEL 4 fully patched Solaris 10 (some other typical server platform that bundles OpenSSL)