On 03/08/2011 18:08, William A. Rowe Jr. wrote: > On 8/3/2011 11:23 AM, Kaspar Brand wrote: >> Ok, so the initial version of that patch became relatively large: >> >> https://people.apache.org/~kbrand/mod_ssl-toolkit-support.v1.diff >> >> Even though trunk is CTR, I'm somewhat reluctant with simply going ahead >> and would appreciate if people could comment on this approach (e.g. if >> it's fine or splitting up would be preferred, etc.). >> >> In theory, the changes could be limited to the autoconf stuff - i.e., >> guard against OpenSSL < 0.9.7 and not detect BSAFE SSL-C any longer in >> configure, and leave the mod_ssl code as is, mostly. >> >> I don't think that's what we want, however, so I tried to get rid of as >> much of the macro cruft as possible (drop ssl_toolkit_compat.h, remove >> obsolete ifdef'ed code and so on). > > My thought, it probably should be a set of commits; > > * Drop SSLC (first patch) > * Drop OpenSSL < 0.9.7 (second patch) > * Drop ssl_toolkit_compat wrapper (third patch) > * Warn on 0.9.7 and some 0.9.8 flavors (last patch) > >
A data point for this effort which may be of interest... In OpenSSL 1.0.1 (unreleased) and later there is a feature to make all SSL related structures opaque and only allow them to be accessed through functions. This is enabled by setting OPENSSL_NO_SSL_INTERN before including any OpenSSL headers. The advantage of this is that any application which can be compiled with this option will retain binary compatibility through any changes to SSL internal structures. I haven't had time to try getting mod_ssl to work with this option. It is guaranteed to fail without some modification. There may well be some functionality missing in OpenSSL too. Ironically to support this you'd need to avoid some of the changes in this patch. For example: - l = strlen(SSL_CIPHER_get_name(c)); - memcpy(cp, SSL_CIPHER_get_name(c), l); + l = strlen(c->name); + memcpy(cp, c->name, l); Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
