Am 18.04.2016 um 18:13 schrieb Rainer Jung:
Am 18.04.2016 um 17:28 schrieb jean-frederic clere:
On 04/18/2016 05:03 PM, Rainer Jung wrote:
Hi Mark,
Am 18.04.2016 um 16:37 schrieb Mark Thomas:
I'd like to get the next tc-native release out before the end of the
month so the next round of Tomcat releases can pick it up -
particularly
the cert chain from Java keystore fix.
I'm intending to tag in ~24 hours. Please reply if you need me to
delay.
Current code status:
a) I tried to keep compatibility with OpenSSL 1.0.2 all the time. Any
breaks would be unintended. At least things compiled here. More eyes and
tests for the changes applied since 1.2.5 are very welcome.
b) it will not compile with against latest OpenSSL 1.1.0 beta, because
to stay compatible with 1.1.0 head we had to use more recent OpenSSL
functions introduced after the last beta
c) it will not compile with the latest OpenSSL 1.1.0 snapshot either,
because I haven't yet found a solution to an API change only introduced
last week
I'll see whether I find a fix for c) so that the release would at least
work with a current OpenSSL 1.1.0 snapshot. Even if not, I think you can
release, because OpenSSL 1.1.0 head still doesn't seem to be API stable,
so we are not at the end of changes anyhows.
Background infoRecently there was another opaqueness change in OpenSSL
1.1.0 head. There's one incompatibility remaining between tcnative head
and OpenSSL 1.1.0 head for which I didn't find an immediate replacement.
So compiling against latest 1.1.0 snapshots will result in a compilation
error in ssl_verify_CRL().
The CRL handling code is very different from what we can find in OpenSSL
example/apps code and it could well be, that we should replace a bigger
part of that code with some pre-cooked cert validation function (call)
in OpenSSL.
Is mod_ssl also affected by those API changes?
Not 2.4, but our code seems to go back to 2.2. The code has
significantly changed for 2.4 in r1165056 which is likely the change we
will adopt as well.
The reason for that change was sent by Kaspar Brand on 2011-07-31:
===================
I'm considering cleaning up some of the cert revocation checking code in
mod_ssl, in particular ssl_callback_SSLVerify_CRL(), which currently has
the following comment:
* OpenSSL provides the general mechanism to deal with CRLs but does not
* use them automatically when verifying certificates, so we do it
* explicitly here. We will check the CRL for the currently checked
* certificate, if there is such a CRL in the store.
This was true in 1999 when CRL support was originally added to mod_ssl
by rse, but times have changed - CRL checking support was introduced
with OpenSSL 0.9.7, released in December 2002
(http://cvs.openssl.org/chngview?cn=4670).
===================
So we've got quite some unfortunate code drift between where our code
originally came from and what's there today.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
