Date: Mon, 28 Apr 2014 12:07:44 -0700 From: Charles Swiger <cswiger@mac.com> To: Julian Elischer <julian@freebsd.org> Cc: "freebsd-security@freebsd.org security" <freebsd-security@freebsd.org> Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports Message-ID: <48F0201D-506E-4CDE-B758-D10A65CBBF9F@mac.com> In-Reply-To: <535E99C8.7050309@freebsd.org> References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> <AFCC7276-2C8F-423E-A417-AE492F5162E6@vpnc.org> <CAK-wPOhxRtCxCsxE1Y5UvL-U18FOnhgMMfH7gDZ5PHZp_sH_5w@mail.gmail.com> <CAK-wPOi60JMc%2BR2zkmLvoJGu6_AFTHcgrUKHpZUy1qgHSEVG2Q@mail.gmail.com> <86eh0hsq3w.fsf@nine.des.no> <535E99C8.7050309@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi-- On Apr 28, 2014, at 11:11 AM, Julian Elischer <julian@freebsd.org> wrote: >> OpenSSL 0.9.x and 1.0.x are *not* binary compatible. > > are they somewhat "API" compatible? can you compile most code against either? Yes, you can compile most code against either OpenSSL 0.9x or 1.x. The OpenSSL API defines OPENSSL_VERSION_NUMBER like so to distinguish new functionality in 1.x: /* ECC support came along in OpenSSL 1.0.0 */ #if (OPENSSL_VERSION_NUMBER < 0x10000000) #define OPENSSL_NO_EC #endif That's the only test for OpenSSL 1 functionality in Apache, taken from httpd-2.2.27/modules/ssl/ssl_toolkit_compat.h. A quick check of other common users of SSL like curl, OpenLDAP, nmap, & nginx is pretty similar. Regards, -- -Chuck PS: curl seems to have the most checks against OpenSSL 1.x, in order to force SSLv3 vs TLS versions if the user specifies such. See curl-7.35.0/lib/vtls/openssl.c: case CURL_SSLVERSION_SSLv3: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_TLSv1; #if OPENSSL_VERSION_NUMBER >= 0x1000100FL ctx_options |= SSL_OP_NO_TLSv1_1; ctx_options |= SSL_OP_NO_TLSv1_2; #endif break; case CURL_SSLVERSION_TLSv1: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; break; case CURL_SSLVERSION_TLSv1_0: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; #if OPENSSL_VERSION_NUMBER >= 0x1000100FL ctx_options |= SSL_OP_NO_TLSv1_1; ctx_options |= SSL_OP_NO_TLSv1_2; #endif break; #if OPENSSL_VERSION_NUMBER >= 0x1000100FL case CURL_SSLVERSION_TLSv1_1: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; ctx_options |= SSL_OP_NO_TLSv1; ctx_options |= SSL_OP_NO_TLSv1_2; break; case CURL_SSLVERSION_TLSv1_2: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; ctx_options |= SSL_OP_NO_TLSv1; ctx_options |= SSL_OP_NO_TLSv1_1; break; #endif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48F0201D-506E-4CDE-B758-D10A65CBBF9F>