ports requiring OpenSSL not honouring OpenSSL from ports
Charles Swiger
cswiger at mac.com
Mon Apr 28 19:07:45 UTC 2014
Hi--
On Apr 28, 2014, at 11:11 AM, Julian Elischer <julian at freebsd.org> wrote:
>> OpenSSL 0.9.x and 1.0.x are *not* binary compatible.
>
> are they somewhat "API" compatible? can you compile most code against either?
Yes, you can compile most code against either OpenSSL 0.9x or 1.x.
The OpenSSL API defines OPENSSL_VERSION_NUMBER like so to distinguish new functionality in 1.x:
/* ECC support came along in OpenSSL 1.0.0 */
#if (OPENSSL_VERSION_NUMBER < 0x10000000)
#define OPENSSL_NO_EC
#endif
That's the only test for OpenSSL 1 functionality in Apache, taken from httpd-2.2.27/modules/ssl/ssl_toolkit_compat.h.
A quick check of other common users of SSL like curl, OpenLDAP, nmap, & nginx is pretty similar.
Regards,
--
-Chuck
PS: curl seems to have the most checks against OpenSSL 1.x, in order to force SSLv3 vs TLS versions if the user specifies such.
See curl-7.35.0/lib/vtls/openssl.c:
case CURL_SSLVERSION_SSLv3:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_TLSv1;
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
ctx_options |= SSL_OP_NO_TLSv1_1;
ctx_options |= SSL_OP_NO_TLSv1_2;
#endif
break;
case CURL_SSLVERSION_TLSv1:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;
break;
case CURL_SSLVERSION_TLSv1_0:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
ctx_options |= SSL_OP_NO_TLSv1_1;
ctx_options |= SSL_OP_NO_TLSv1_2;
#endif
break;
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
case CURL_SSLVERSION_TLSv1_1:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;
ctx_options |= SSL_OP_NO_TLSv1;
ctx_options |= SSL_OP_NO_TLSv1_2;
break;
case CURL_SSLVERSION_TLSv1_2:
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;
ctx_options |= SSL_OP_NO_TLSv1;
ctx_options |= SSL_OP_NO_TLSv1_1;
break;
#endif
More information about the freebsd-security
mailing list