On Sep 24, 2014, at 8:40 AM, Susan Hinrichs <[email protected]> wrote:
> Noticed something in the RHEL5 build while tracking down build errors. For > RHEL5 master build TS_USE_TLS_SNI is not defined which means the function > SSL_CTX_set_tlsext_servername_callback is not set in the version of openssl > used by RHEL5. This means that SSL certificate support in 5.x will not work > on RHEL5 because only the default cert is loaded initially. The real certs > are applied in the SNI callback (which will not get called). > > Actually looking more closely at the RHEL5 build output we see > > checking for SSL_CTX_set_tlsext_servername_callback... yes > checking for SSL_get_servername... no > checking whether to enable ServerNameIndication TLS extension support... no > > > Which to me means that the SNI callback logic is present, but the accessor > method to get the name later is not present. If we really needed to support > certificates in RHEL5, we could work around that. Yikes, that seems like a pretty bad bug. > > On 9/21/2014 7:33 PM, Brian Geffon wrote: >> Ok, so I just found this in SSLUtils.cc: >> >> #if (OPENSSL_VERSION_NUMBER < 0x00090400L)# error Traffic Server requires >> an OpenSSL library version 0.9.4 or greater >> >> #endif >> >> >> >> On Sun, Sep 21, 2014 at 5:31 PM, James Peach <[email protected]> wrote: >> >>> On Sep 21, 2014, at 5:23 PM, Brian Geffon <[email protected]> wrote: >>> >>>> Hi All, >>>> >>>> This is something that apparently has never been brought up, we don't >>> have >>>> a strict OpenSSL minimum version. By explicitly stating our minimum >>>> supported OpenSSL version we can clean up our SSL code, specifically >>> around >>>> the SNI #ifdefs. I'm going to propose that we make *0.9.8f* our minimum >>>> supported version. This was the first version to support SNI and was >>>> released in late 2007 (around 7 years ago). It seems like a good place to >>>> start. Thoughts? >>> +1, provided the configure script checks for it, and we document it :) >>> >>> J >>> >
