From owner-freebsd-security@FreeBSD.ORG  Mon Apr 28 19:07:45 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 9823E290;
 Mon, 28 Apr 2014 19:07:45 +0000 (UTC)
Received: from mail-out.apple.com (mail-out.apple.com [17.151.62.50])
 (using TLSv1 with cipher DES-CBC3-SHA (168/168 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 739FB1472;
 Mon, 28 Apr 2014 19:07:45 +0000 (UTC)
MIME-version: 1.0
Received: from mail-out.apple.com by local.mail-out.apple.com
 (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013))
 id <0N4R00C008QICP00@local.mail-out.apple.com>; Mon,
 28 Apr 2014 12:07:45 -0700 (PDT)
Received: from relay7.apple.com ([17.128.113.101]) by local.mail-out.apple.com
 (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct
 22 2013))
 with ESMTP id <0N4R004WD94P7F40@local.mail-out.apple.com>; Mon,
 28 Apr 2014 12:07:44 -0700 (PDT)
X-AuditID: 11807165-f79076d0000015d9-7c-535ea6f76381
Received: from [17.149.239.226] (Unknown_Domain [17.149.239.226])
 (using TLS with cipher AES128-SHA (128/128 bits))
 (Client did not present a certificate)	by relay7.apple.com (Apple SCV relay)
 with SMTP id 2B.C2.05593.7F6AE535; Mon, 28 Apr 2014 12:07:36 -0700 (PDT)
Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports
From: Charles Swiger <cswiger@mac.com>
In-reply-to: <535E99C8.7050309@freebsd.org>
Date: Mon, 28 Apr 2014 12:07:44 -0700
Message-id: <48F0201D-506E-4CDE-B758-D10A65CBBF9F@mac.com>
References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net>
 <AFCC7276-2C8F-423E-A417-AE492F5162E6@vpnc.org>
 <CAK-wPOhxRtCxCsxE1Y5UvL-U18FOnhgMMfH7gDZ5PHZp_sH_5w@mail.gmail.com>
 <CAK-wPOi60JMc+R2zkmLvoJGu6_AFTHcgrUKHpZUy1qgHSEVG2Q@mail.gmail.com>
 <86eh0hsq3w.fsf@nine.des.no> <535E99C8.7050309@freebsd.org>
To: Julian Elischer <julian@freebsd.org>
X-Mailer: Apple Mail (2.1510)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrILMWRmVeSWpSXmKPExsUiOPX9I90fy+KCDb7kW/RsesJmcXXuT2YH
 Jo8Zn+azBDBGcdmkpOZklqUW6dslcGU0vFnNVNBqXnF6VztbA+M7/S5GTg4JAROJjsf3mCFs
 MYkL99azdTFycQgJ9DNJdPR8YwNJMAskSOzdvBCoiIODV0BPYvsvORBTWMBV4sZ/IRCTTUBN
 YsJEHpBiTgFtiUVtR8EaWQRUJWYemcAEMcRL4tHjiYwgNq+AlcSbKU/YITZtZ5I4vug7O0hC
 REBD4vqOGawQ58hKnD73nGUCI98sJEfMQjgCIqwtsWzha7Aws4COxOSFjKjCEPbH80eYFjCy
 rWIUKErNSaw010ssKMhJ1UvOz93ECArIhsLUHYyNy60OMQpwMCrx8HbExAULsSaWFVfmHmKU
 4GBWEuG1bQUK8aYkVlalFuXHF5XmpBYfYpTmYFES5z0UGRssJJCeWJKanZpakFoEk2Xi4JRq
 YFyVkfhS0I2hxFN3d9xHjdkStWuneLrXLNd4MPVarUndFvUwEcvKIzduTOzrrXkltUvGlVHs
 q99cf/6iR85e2zj+NUi+VdxvKZDvHlmxoeoWY+zaqS2X2zedvPZqP+vPyiaxqbFGW2t+13xg
 XrWR6XA+6/ybl2JqExuv/NEUOtjt6RDDIByop8RSnJFoqMVcVJwIAJVerh5EAgAA
Content-Type: text/plain; CHARSET=US-ASCII
Content-Transfer-Encoding: 7BIT
X-Content-Filtered-By: Mailman/MimeDel 2.1.17
Cc: "freebsd-security@freebsd.org security" <freebsd-security@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2014 19:07:45 -0000

Hi--

On Apr 28, 2014, at 11:11 AM, Julian Elischer <julian@freebsd.org> wrote:
>> OpenSSL 0.9.x and 1.0.x are *not* binary compatible.
> 
> are they somewhat "API" compatible?  can you compile most code against either?

Yes, you can compile most code against either OpenSSL 0.9x or 1.x.

The OpenSSL API defines OPENSSL_VERSION_NUMBER like so to distinguish new functionality in 1.x:

/* ECC support came along in OpenSSL 1.0.0 */
#if (OPENSSL_VERSION_NUMBER < 0x10000000)
#define OPENSSL_NO_EC
#endif

That's the only test for OpenSSL 1 functionality in Apache, taken from httpd-2.2.27/modules/ssl/ssl_toolkit_compat.h.
A quick check of other common users of SSL like curl, OpenLDAP, nmap, & nginx is pretty similar.

Regards,
-- 
-Chuck

PS: curl seems to have the most checks against OpenSSL 1.x, in order to force SSLv3 vs TLS versions if the user specifies such.
See curl-7.35.0/lib/vtls/openssl.c:

  case CURL_SSLVERSION_SSLv3:
    ctx_options |= SSL_OP_NO_SSLv2;
    ctx_options |= SSL_OP_NO_TLSv1;
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
    ctx_options |= SSL_OP_NO_TLSv1_1;
    ctx_options |= SSL_OP_NO_TLSv1_2;
#endif
    break;

  case CURL_SSLVERSION_TLSv1:
    ctx_options |= SSL_OP_NO_SSLv2;
    ctx_options |= SSL_OP_NO_SSLv3;
    break;

  case CURL_SSLVERSION_TLSv1_0:
    ctx_options |= SSL_OP_NO_SSLv2;
    ctx_options |= SSL_OP_NO_SSLv3;
#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
    ctx_options |= SSL_OP_NO_TLSv1_1;
    ctx_options |= SSL_OP_NO_TLSv1_2;
#endif
    break;

#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
  case CURL_SSLVERSION_TLSv1_1:
    ctx_options |= SSL_OP_NO_SSLv2;
    ctx_options |= SSL_OP_NO_SSLv3;
    ctx_options |= SSL_OP_NO_TLSv1;
    ctx_options |= SSL_OP_NO_TLSv1_2;
    break;

  case CURL_SSLVERSION_TLSv1_2:
    ctx_options |= SSL_OP_NO_SSLv2;
    ctx_options |= SSL_OP_NO_SSLv3;
    ctx_options |= SSL_OP_NO_TLSv1;
    ctx_options |= SSL_OP_NO_TLSv1_1;
    break;
#endif