Date: Mon, 28 Apr 2014 12:07:44 -0700 From: Charles Swiger <cswiger@mac.com> To: Julian Elischer <julian@freebsd.org> Cc: "freebsd-security@freebsd.org security" <freebsd-security@freebsd.org> Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports Message-ID: <48F0201D-506E-4CDE-B758-D10A65CBBF9F@mac.com> In-Reply-To: <535E99C8.7050309@freebsd.org> References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> <AFCC7276-2C8F-423E-A417-AE492F5162E6@vpnc.org> <CAK-wPOhxRtCxCsxE1Y5UvL-U18FOnhgMMfH7gDZ5PHZp_sH_5w@mail.gmail.com> <CAK-wPOi60JMc%2BR2zkmLvoJGu6_AFTHcgrUKHpZUy1qgHSEVG2Q@mail.gmail.com> <86eh0hsq3w.fsf@nine.des.no> <535E99C8.7050309@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi--
On Apr 28, 2014, at 11:11 AM, Julian Elischer <julian@freebsd.org> wrote:
>> OpenSSL 0.9.x and 1.0.x are *not* binary compatible.
>
> are they somewhat "API" compatible? can you compile most code against either?
Yes, you can compile most code against either OpenSSL 0.9x or 1.x.
The OpenSSL API defines OPENSSL_VERSION_NUMBER like so to distinguish new functionality in 1.x:
/* ECC support came along in OpenSSL 1.0.0 */
#if (OPENSSL_VERSION_NUMBER < 0x10000000)
#define OPENSSL_NO_EC
#endif
That's the only test for OpenSSL 1 functionality in Apache, taken from httpd-2.2.27/modules/ssl/ssl_toolkit_compat.h.
A quick check of other common users of SSL like curl, OpenLDAP, nmap, & nginx is pretty similar.
Regards,
--
-Chuck
PS: curl seems to have the most checks against OpenSSL 1.x, in order to force SSLv3 vs TLS versions if the user specifies such.
See curl-7.35.0/lib/vtls/openssl.c:
case CURL_SSLVERSION_SSLv3:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_TLSv1;
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
ctx_options |= SSL_OP_NO_TLSv1_1;
ctx_options |= SSL_OP_NO_TLSv1_2;
#endif
break;
case CURL_SSLVERSION_TLSv1:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;
break;
case CURL_SSLVERSION_TLSv1_0:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
ctx_options |= SSL_OP_NO_TLSv1_1;
ctx_options |= SSL_OP_NO_TLSv1_2;
#endif
break;
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
case CURL_SSLVERSION_TLSv1_1:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;
ctx_options |= SSL_OP_NO_TLSv1;
ctx_options |= SSL_OP_NO_TLSv1_2;
break;
case CURL_SSLVERSION_TLSv1_2:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;
ctx_options |= SSL_OP_NO_TLSv1;
ctx_options |= SSL_OP_NO_TLSv1_1;
break;
#endif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48F0201D-506E-4CDE-B758-D10A65CBBF9F>