On Mon, May 08, 2006 at 12:04:24AM +0200, Dr. Stephen Henson wrote:
> > > It looks like I can call SSL_COMP_get_compression_methods(), and if I
> > > get a non-null stack, check whether the stack depth is > 0.
> > >
> > > static void my_set_options(SSL_CTX *ctx)
> > > {
> > > long options = SSL_OP_ALL;
> > >
> > > #if (OPENSSL_VERSION_NUMBER < 0x0090800fL) ||
> > > (OPENSSL_VERSION_NUMBER > 0x0090802fL)
> > >
> > > STACK_OF(SSL_COMP) *comp_methods;
> > >
> > > comp_methods = SSL_COMP_get_compression_methods();
> > > if (comp_methods != 0 && sk_SSL_COMP_num(comp_methods) > 0)
> > > options = SSL_OP_ALL & ~SSL_OP_TLS_BLOCK_PADDING_BUG;
> > > #endif
> > > SSL_CTX_set_options(ctx, options);
> > > }
> > >
> > > Does this seem sensible?
> >
> > The "#if ( < ) || ( > )" test is inverted, sorry too much on the fly
> > editing, but you get the idea... Is the general approach sensible?
> >
>
> That will of course only perform the version comparison at compile time. If
> OpenSSL shared libraries are updated without recomplining the source then
> that might not do what you want. A runtime comparison would avoid that.
True, if I build with 0.9.8[ab], then the code will suppress the padding
bug work-around even with 0.9.8[c-z], or fail to suppress it on a regression
from 0.9.8[c-z] to 0.9.8[ab].
> This looks like its one area which was overlooked since the SSLeay days.
> Currently you have to use the function SSLeay() to get the version number at
> runtime.
>
> Some new functions with OPENSSL in them should be added.
Yes, indeed. Would it be appropriate for applications to check for the
same major/minor at runtime and compile time?
if ((0xFFFFF000L & OPENSSL_VERSION_NUMBER) != (0xFFFFF000L & SSLeay())) {
... warning or perhaps even fatal error ...
}
This would detect mismatches between headers and libraries. Usually the
library SONAME (on my system libssl.so.0.9.7) prevents run-time linking
of an incompatible library, but that too is not 100% foolproof. To date
there has been no expectation that different major.minor OpenSSL releases
will offer the same ABI.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
