On Sun, Dec 06, 2015 at 07:13:56AM +0000, Phil Pennock wrote:
> I've yet to make the jump to El Capitan. Waiting for 10.11.1 or 10.11.2
> before I do.
My system is running 10.11.1, FWIW, so that's out. [ Can't say
I'm thrilled with all the changes. And Spotlight indexing of your
TimeMachine drive will take forever the first time (if you don't
need that, turn it off). ]
> It means that those who haven't already done so run `brew install
> openssl`.
Speaking of OpenSSL, there are plenty of changes in the "master"
version on Github that will require some source changes (conditional
on "#if OPENSSL_VERSION_NUMBER >= 0x10100000L" or similar) for
compatibility with the eventual 1.1.0 release.
Since upcoming Exim releases may still be around when folks try to
build Exim with OpenSSL 1.1.0 in Q2 of 2016, I'd strongly recommend
considering porting now.
Just yesterday, two commits that IIRC will affect Exim. There are
certainly a few OpenSSL master related "bitrot" commits in the
Postfix dev snapshots lately.
commit fe6ef2472db933f01b59cad82aa925736935984b
Author: Kurt Roeckx <kurt@???>
Date: Fri Dec 4 22:30:36 2015 +0100
Remove SSL_{CTX_}set_ecdh_auto() and always enable ECDH
Reviewed-by: Dr. Stephen Henson <steve@???>
commit 6977e8ee4a718a76351ba5275a9f0be4e530eab5
Author: Kurt Roeckx <kurt@???>
Date: Fri Dec 4 22:25:11 2015 +0100
Make SSL_{CTX}_set_tmp_ecdh() call SSL_{CTX_}set1_curves()
SSL_{CTX}_set_tmp_ecdh() allows to set 1 EC curve and then tries to use it. On
the other hand SSL_{CTX_}set1_curves() allows you to set a list of curves, but
only when SSL_{CTX_}set_ecdh_auto() was called to turn it on.
Reviewed-by: Dr. Stephen Henson <steve@???>
Also support for ephemeral RSA (export-cipher RSA) went away and
with it the tmp_rsa callback API. Some structures are now opaque,
and there's an X509_up_ref() function for grabbing an extra
certificate reference, instead of the legacy CRYPTO_add() API.
Let me know if you run into anything too cumbersome. So far its
been fairly routine and minimal, just a couple of macros here and
there. Things like:
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
#endif
Which reminds to update the ssl_dane library on github. I'll do
that shortly. I've been making sure Postfix builds against OpenSSL
master, but not paying nearly as much attention to the unbundled
ssl_dane library.
> Apple's change makes it _easier_ for us, because we'll have less dealing
> with people who build against one set of headers but link against a
> different library. They'll have to be specifying a header include path
> so are more likely to be specifying a library path too.
Sounds plausible. One can hope it works out that way. :-)
--
Viktor.
