The function SSL_set_SSL_CTX is missing in openssl 0.9.7 and also not
accessible in the RHEL5 builds.
On 9/24/2014 10:40 AM, Susan Hinrichs wrote:
Noticed something in the RHEL5 build while tracking down build
errors. For RHEL5 master build TS_USE_TLS_SNI is not defined which
means the function SSL_CTX_set_tlsext_servername_callback is not set
in the version of openssl used by RHEL5. This means that SSL
certificate support in 5.x will not work on RHEL5 because only the
default cert is loaded initially. The real certs are applied in the
SNI callback (which will not get called).
Actually looking more closely at the RHEL5 build output we see
checking for SSL_CTX_set_tlsext_servername_callback... yes
checking for SSL_get_servername... no
checking whether to enable ServerNameIndication TLS extension
support... no
Which to me means that the SNI callback logic is present, but the
accessor method to get the name later is not present. If we really
needed to support certificates in RHEL5, we could work around that.
On 9/21/2014 7:33 PM, Brian Geffon wrote:
Ok, so I just found this in SSLUtils.cc:
#if (OPENSSL_VERSION_NUMBER < 0x00090400L)# error Traffic Server
requires
an OpenSSL library version 0.9.4 or greater
#endif
On Sun, Sep 21, 2014 at 5:31 PM, James Peach <jpe...@apache.org> wrote:
On Sep 21, 2014, at 5:23 PM, Brian Geffon <briangef...@gmail.com>
wrote:
Hi All,
This is something that apparently has never been brought up, we don't
have
a strict OpenSSL minimum version. By explicitly stating our minimum
supported OpenSSL version we can clean up our SSL code, specifically
around
the SNI #ifdefs. I'm going to propose that we make *0.9.8f* our
minimum
supported version. This was the first version to support SNI and was
released in late 2007 (around 7 years ago). It seems like a good
place to
start. Thoughts?
+1, provided the configure script checks for it, and we document it :)
J
