Hi-- On Apr 28, 2014, at 11:11 AM, Julian Elischer <julian@freebsd.org> wrote: >> OpenSSL 0.9.x and 1.0.x are *not* binary compatible. > > are they somewhat "API" compatible? can you compile most code against either? Yes, you can compile most code against either OpenSSL 0.9x or 1.x. The OpenSSL API defines OPENSSL_VERSION_NUMBER like so to distinguish new functionality in 1.x: /* ECC support came along in OpenSSL 1.0.0 */ #if (OPENSSL_VERSION_NUMBER < 0x10000000) #define OPENSSL_NO_EC #endif That's the only test for OpenSSL 1 functionality in Apache, taken from httpd-2.2.27/modules/ssl/ssl_toolkit_compat.h. A quick check of other common users of SSL like curl, OpenLDAP, nmap, & nginx is pretty similar. Regards, -- -Chuck PS: curl seems to have the most checks against OpenSSL 1.x, in order to force SSLv3 vs TLS versions if the user specifies such. See curl-7.35.0/lib/vtls/openssl.c: case CURL_SSLVERSION_SSLv3: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_TLSv1; #if OPENSSL_VERSION_NUMBER >= 0x1000100FL ctx_options |= SSL_OP_NO_TLSv1_1; ctx_options |= SSL_OP_NO_TLSv1_2; #endif break; case CURL_SSLVERSION_TLSv1: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; break; case CURL_SSLVERSION_TLSv1_0: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; #if OPENSSL_VERSION_NUMBER >= 0x1000100FL ctx_options |= SSL_OP_NO_TLSv1_1; ctx_options |= SSL_OP_NO_TLSv1_2; #endif break; #if OPENSSL_VERSION_NUMBER >= 0x1000100FL case CURL_SSLVERSION_TLSv1_1: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; ctx_options |= SSL_OP_NO_TLSv1; ctx_options |= SSL_OP_NO_TLSv1_2; break; case CURL_SSLVERSION_TLSv1_2: ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv3; ctx_options |= SSL_OP_NO_TLSv1; ctx_options |= SSL_OP_NO_TLSv1_1; break; #endif _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"