From 1eb818742fa1fb6d107f14cf7ef8e69e60772df0 Mon Sep 17 00:00:00 2001
From: Kaspar Brand <kbrand@apache.org>
Date: Sun, 7 Aug 2011 10:29:09 +0000
Subject: [PATCH] Drop support for the RSA BSAFE SSL-C toolkit from configure,
 and remove #ifdef'ed code from mod_ssl and ab where applicable.

Consensus for dropping support for SSL/TLS toolkits other
than OpenSSL was reached on dev@httpd in June 2010 (message
with ID <20100602162310.GA11156@redhat.com> and follow-ups).


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154683 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                          |   3 +
 acinclude.m4                     | 173 +++++++++++--------------------
 modules/ssl/README               |   1 -
 modules/ssl/config.m4            |   4 +-
 modules/ssl/mod_ssl.c            |   6 --
 modules/ssl/ssl_engine_init.c    |   9 +-
 modules/ssl/ssl_engine_io.c      |   8 +-
 modules/ssl/ssl_engine_kernel.c  |   3 -
 modules/ssl/ssl_engine_pphrase.c |  10 --
 modules/ssl/ssl_engine_vars.c    |   2 -
 modules/ssl/ssl_private.h        |   6 +-
 modules/ssl/ssl_toolkit_compat.h | 112 --------------------
 modules/ssl/ssl_util.c           |  21 ----
 modules/ssl/ssl_util_ssl.c       |  18 ----
 modules/ssl/ssl_util_ssl.h       |  20 +---
 support/ab.c                     |  19 +---
 16 files changed, 72 insertions(+), 343 deletions(-)

diff --git a/CHANGES b/CHANGES
index d67fd84a8d..3082b0fb12 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.3.15
 
+  *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
+     [Kaspar Brand]
+
   *) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the 
      cookie is set when modules such as mod_rewrite trigger a redirect. Also
      use r->err_headers_out for the cookie, for the same reason.  PR29755.
diff --git a/acinclude.m4 b/acinclude.m4
index 214763964f..b12fa502f5 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -437,41 +437,32 @@ AC_DEFUN(APACHE_REQUIRE_CXX,[
 ])
 
 dnl
-dnl APACHE_CHECK_SSL_TOOLKIT
+dnl APACHE_CHECK_OPENSSL
 dnl
-dnl Configure for the detected openssl/ssl-c toolkit installation, giving
-dnl preference to "--with-ssl=<path>" if it was specified.
+dnl Configure for OpenSSL, giving preference to
+dnl "--with-ssl=<path>" if it was specified.
 dnl
-AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
-  AC_CACHE_CHECK([for SSL/TLS toolkit], [ac_cv_ssltk], [
+AC_DEFUN(APACHE_CHECK_OPENSSL,[
+  AC_CACHE_CHECK([for OpenSSL], [ac_cv_openssl], [
     dnl initialise the variables we use
-    ac_cv_ssltk=yes
-    ap_ssltk_found=""
-    ap_ssltk_base=""
-    ap_ssltk_libs=""
-    ap_ssltk_type=""
+    ac_cv_openssl=yes
+    ap_openssl_found=""
+    ap_openssl_base=""
+    ap_openssl_libs=""
 
-    dnl Determine the SSL/TLS toolkit's base directory, if any
-    AC_MSG_CHECKING([for user-provided SSL/TLS toolkit base])
-    AC_ARG_WITH(sslc, APACHE_HELP_STRING(--with-sslc=DIR,RSA SSL-C SSL/TLS toolkit), [
-      dnl If --with-sslc specifies a directory, we use that directory or fail
+    dnl Determine the OpenSSL base directory, if any
+    AC_MSG_CHECKING([for user-provided OpenSSL base directory])
+    AC_ARG_WITH(ssl, APACHE_HELP_STRING(--with-ssl=DIR,OpenSSL base directory), [
+      dnl If --with-ssl specifies a directory, we use that directory
       if test "x$withval" != "xyes" -a "x$withval" != "x"; then
         dnl This ensures $withval is actually a directory and that it is absolute
-        ap_ssltk_base="`cd $withval ; pwd`"
-      fi
-      ap_ssltk_type="sslc"
-    ])
-    AC_ARG_WITH(ssl, APACHE_HELP_STRING(--with-ssl=DIR,OpenSSL SSL/TLS toolkit), [
-      dnl If --with-ssl specifies a directory, we use that directory or fail
-      if test "x$withval" != "xyes" -a "x$withval" != "x"; then
-        dnl This ensures $withval is actually a directory and that it is absolute
-        ap_ssltk_base="`cd $withval ; pwd`"
+        ap_openssl_base="`cd $withval ; pwd`"
       fi
     ])
-    if test "x$ap_ssltk_base" = "x"; then
+    if test "x$ap_openssl_base" = "x"; then
       AC_MSG_RESULT(none)
     else
-      AC_MSG_RESULT($ap_ssltk_base)
+      AC_MSG_RESULT($ap_openssl_base)
     fi
 
     dnl Run header and version checks
@@ -480,19 +471,19 @@ AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
     saved_LDFLAGS="$LDFLAGS"
     SSL_LIBS=""
 
-    dnl Before doing anything else, load in pkg-config variables (if not sslc).
-    if test "x$ap_ssltk_type" = "x" -a -n "$PKGCONFIG"; then
+    dnl Before doing anything else, load in pkg-config variables
+    if test -n "$PKGCONFIG"; then
       saved_PKG_CONFIG_PATH="$PKG_CONFIG_PATH"
-      if test "x$ap_ssltk_base" != "x" -a \
-              -f "${ap_ssltk_base}/lib/pkgconfig/openssl.pc"; then
+      if test "x$ap_openssl_base" != "x" -a \
+              -f "${ap_openssl_base}/lib/pkgconfig/openssl.pc"; then
         dnl Ensure that the given path is used by pkg-config too, otherwise
         dnl the system openssl.pc might be picked up instead.
-        PKG_CONFIG_PATH="${ap_ssltk_base}/lib/pkgconfig${PKG_CONFIG_PATH+:}${PKG_CONFIG_PATH}"
+        PKG_CONFIG_PATH="${ap_openssl_base}/lib/pkgconfig${PKG_CONFIG_PATH+:}${PKG_CONFIG_PATH}"
         export PKG_CONFIG_PATH
       fi
-      ap_ssltk_libs="`$PKGCONFIG --libs-only-l openssl 2>&1`"
+      ap_openssl_libs="`$PKGCONFIG --libs-only-l openssl 2>&1`"
       if test $? -eq 0; then
-        ap_ssltk_found="yes"
+        ap_openssl_found="yes"
         pkglookup="`$PKGCONFIG --cflags-only-I openssl`"
         APR_ADDTO(CPPFLAGS, [$pkglookup])
         APR_ADDTO(INCLUDES, [$pkglookup])
@@ -502,105 +493,59 @@ AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
       fi
       PKG_CONFIG_PATH="$saved_PKG_CONFIG_PATH"
     fi
-    if test "x$ap_ssltk_base" != "x" -a "x$ap_ssltk_found" = "x"; then
-      APR_ADDTO(CPPFLAGS, [-I$ap_ssltk_base/include])
-      APR_ADDTO(INCLUDES, [-I$ap_ssltk_base/include])
-      APR_ADDTO(LDFLAGS, [-L$ap_ssltk_base/lib])
-      APR_ADDTO(SSL_LIBS, [-L$ap_ssltk_base/lib])
+
+    dnl fall back to the user-supplied directory if not found via pkg-config
+    if test "x$ap_openssl_base" != "x" -a "x$ap_openssl_found" = "x"; then
+      APR_ADDTO(CPPFLAGS, [-I$ap_openssl_base/include])
+      APR_ADDTO(INCLUDES, [-I$ap_openssl_base/include])
+      APR_ADDTO(LDFLAGS, [-L$ap_openssl_base/lib])
+      APR_ADDTO(SSL_LIBS, [-L$ap_openssl_base/lib])
       if test "x$ap_platform_runtime_link_flag" != "x"; then
-        APR_ADDTO(LDFLAGS, [$ap_platform_runtime_link_flag$ap_ssltk_base/lib])
-        APR_ADDTO(SSL_LIBS, [$ap_platform_runtime_link_flag$ap_ssltk_base/lib])
+        APR_ADDTO(LDFLAGS, [$ap_platform_runtime_link_flag$ap_openssl_base/lib])
+        APR_ADDTO(SSL_LIBS, [$ap_platform_runtime_link_flag$ap_openssl_base/lib])
       fi
     fi
-    if test "x$ap_ssltk_type" = "x"; then
-      dnl First check for manditory headers
-      AC_CHECK_HEADERS([openssl/opensslv.h openssl/ssl.h], [ap_ssltk_type="openssl"], [])
-      if test "$ap_ssltk_type" = "openssl"; then
-        dnl so it's OpenSSL - test for a good version
-        AC_MSG_CHECKING([for OpenSSL version])
-        AC_TRY_COMPILE([#include <openssl/opensslv.h>],[
+
+    AC_MSG_CHECKING([for OpenSSL version])
+    AC_TRY_COMPILE([#include <openssl/opensslv.h>],[
 #if !defined(OPENSSL_VERSION_NUMBER)
-#error "Missing openssl version"
+#error "Missing OpenSSL version"
 #endif
 #if  (OPENSSL_VERSION_NUMBER < 0x009060af) \
  || ((OPENSSL_VERSION_NUMBER > 0x00907000) && (OPENSSL_VERSION_NUMBER < 0x0090702f))
 #error "Insecure openssl version " OPENSSL_VERSION_TEXT
 #endif],
-        [AC_MSG_RESULT(OK)],
-        [dnl Replace this with OPENSSL_VERSION_TEXT from opensslv.h?
-         AC_MSG_RESULT([not encouraging])
-         AC_MSG_WARN([OpenSSL version may contain security vulnerabilities!]
-                     [ Ensure the latest security patches have been applied!])
-        ])
-      else
-        AC_MSG_RESULT([no OpenSSL headers found])
-      fi
-    fi
-    if test "$ap_ssltk_type" != "openssl"; then
-      dnl Might be SSL-C - report, then test anything relevant
-      AC_CHECK_HEADERS([sslc.h], [ap_ssltk_type="sslc"], [ap_ssltk_type=""])
-      if test "$ap_ssltk_type" = "sslc"; then
-        ap_ssltk_libs="-lsslc"
-        AC_MSG_CHECKING([for SSL-C version])
-        AC_TRY_COMPILE([#include <sslc.h>],[
-#if !defined(SSLC_VERSION_NUMBER)
-#error "Missing SSL-C version"
-#endif
-#if SSLC_VERSION_NUMBER < 0x2310
-#define stringize_ver(x) #x
-#error "Insecure SSL-C version " stringize_ver(SSLC_VERSION_NUMBER)
-#endif],
-        [AC_MSG_RESULT(OK)],
-        [dnl Replace this with SSLC_VERSION_NUMBER?
-         AC_MSG_RESULT([not encouraging])
-         echo "WARNING: SSL-C version may contain security vulnerabilities!"
-         echo "         Ensure the latest security patches have been applied!"
-        ])
-      else
-        AC_MSG_RESULT([no SSL-C headers found])
-      fi
-    fi
-    if test "x$ap_ssltk_type" = "x"; then
-      ac_cv_ssltk="no"
-      AC_MSG_WARN([...No recognized SSL/TLS toolkit detected])
-    else
-      if test "$ap_ssltk_type" = "openssl" -a "x$ap_ssltk_found" = "x"; then
-        ap_ssltk_found="yes"
-        ap_ssltk_libs="-lssl -lcrypto `$apr_config --libs`"
-      fi
-      APR_ADDTO(SSL_LIBS, [$ap_ssltk_libs])
-      APR_ADDTO(LIBS, [$ap_ssltk_libs])
+      [AC_MSG_RESULT(OK)],
+      [dnl Replace this with OPENSSL_VERSION_TEXT from opensslv.h?
+       AC_MSG_RESULT([not encouraging])
+       AC_MSG_WARN([OpenSSL version may contain security vulnerabilities!]
+                   [ Ensure the latest security patches have been applied!])
+    ])
+
+    if test "x$ac_cv_openssl" = "xyes"; then
+      ap_openssl_libs="-lssl -lcrypto `$apr_config --libs`"
+      APR_ADDTO(SSL_LIBS, [$ap_openssl_libs])
+      APR_ADDTO(LIBS, [$ap_openssl_libs])
       APACHE_SUBST(SSL_LIBS)
 
       dnl Run library and function checks
       liberrors=""
-      if test "$ap_ssltk_type" = "openssl"; then
-        AC_CHECK_HEADERS([openssl/engine.h])
-        AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"])
-        AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines])
-      else
-        AC_CHECK_FUNCS([SSLC_library_version SSL_CTX_new], [], [liberrors="yes"])
-        AC_CHECK_FUNCS(SSL_set_state)
-      fi
-      dnl restore
-      CPPFLAGS="$saved_CPPFLAGS"
-      LIBS="$saved_LIBS"
-      LDFLAGS="$saved_LDFLAGS"
+      AC_CHECK_HEADERS([openssl/engine.h])
+      AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"])
+      AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines])
       if test "x$liberrors" != "x"; then
-        ac_cv_ssltk=no
-        AC_MSG_WARN([... Error, SSL/TLS libraries were missing or unusable])
+        ac_cv_openssl=no
+        AC_MSG_WARN([OpenSSL libraries are unusable])
       fi
     fi
-  ])
 
-  if test "x$ac_cv_ssltk" = "xyes" ; then
-    dnl Adjust apache's configuration based on what we found above.
-    dnl (a) define preprocessor symbols
-    if test "$ap_ssltk_type" = "openssl"; then
-      AC_DEFINE(HAVE_OPENSSL, 1, [Define if SSL is supported using OpenSSL])
-    else
-      AC_DEFINE(HAVE_SSLC, 1, [Define if SSL is supported using SSL-C])
-    fi
+    dnl restore
+    CPPFLAGS="$saved_CPPFLAGS"
+    LIBS="$saved_LIBS"
+    LDFLAGS="$saved_LDFLAGS"
+  ])
+  if test "x$ac_cv_openssl" = "xyes"; then
+    AC_DEFINE(HAVE_OPENSSL, 1, [Define if OpenSSL is available])
   fi
 ])
 
diff --git a/modules/ssl/README b/modules/ssl/README
index 49ef6623ea..c46377f27c 100644
--- a/modules/ssl/README
+++ b/modules/ssl/README
@@ -98,7 +98,6 @@ MAJOR CHANGES
      the original SSLProxy* directives
  o per-directory SSLCACertificate{File,Path} is now thread-safe but
    requires SSL_set_cert_store patch to OpenSSL
- o RSA sslc is supported via ssl_toolkit_compat.h
  o the ssl_engine_{ds,ext}.c source files are obsolete and no longer
    exist
 
diff --git a/modules/ssl/config.m4 b/modules/ssl/config.m4
index a518b91e65..5f6fb40121 100644
--- a/modules/ssl/config.m4
+++ b/modules/ssl/config.m4
@@ -44,8 +44,8 @@ ssl_util_ocsp.lo dnl
 "
 dnl #  hook module into the Autoconf mechanism (--enable-ssl option)
 APACHE_MODULE(ssl, [SSL/TLS support (mod_ssl)], $ssl_objs, , most, [
-    APACHE_CHECK_SSL_TOOLKIT
-    if test "$ac_cv_ssltk" = "yes" ; then
+    APACHE_CHECK_OPENSSL
+    if test "$ac_cv_openssl" = "yes" ; then
         APR_ADDTO(MOD_SSL_LDADD, [\$(SSL_LIBS)])
         CHECK_OCSP
         if test "x$enable_ssl" = "xshared"; then
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 65a063f84b..84accdbbb2 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -250,14 +250,12 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
     /*
      * Try to kill the internals of the SSL library.
      */
-#ifdef HAVE_OPENSSL
 #if OPENSSL_VERSION_NUMBER >= 0x00907001
     /* Corresponds to OPENSSL_load_builtin_modules():
      * XXX: borrowed from apps.h, but why not CONF_modules_free()
      * which also invokes CONF_modules_finish()?
      */
     CONF_modules_unload(1);
-#endif
 #endif
     /* Corresponds to SSL_library_init: */
     EVP_cleanup();
@@ -292,19 +290,15 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
      * code can successfully test the SSL environment.
      */
     CRYPTO_malloc_init();
-#ifdef HAVE_OPENSSL
     ERR_load_crypto_strings();
-#endif
     SSL_load_error_strings();
     SSL_library_init();
 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
     ENGINE_load_builtin_engines();
 #endif
-#ifdef HAVE_OPENSSL
     OpenSSL_add_all_algorithms();
 #if OPENSSL_VERSION_NUMBER >= 0x00907001
     OPENSSL_load_builtin_modules();
-#endif
 #endif
 
     /*
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 67f72eaa29..f0fb8629f7 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -895,7 +895,7 @@ static int ssl_server_import_key(server_rec *s,
     if (idx == SSL_AIDX_ECC)
       pkey_type = EVP_PKEY_EC;
     else
-#endif /* SSL_LIBRARY_VERSION */
+#endif
     pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;
 
     if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) {
@@ -1265,18 +1265,11 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
     }
 }
 
-#ifdef SSLC_VERSION_NUMBER
-static int ssl_init_FindCAList_X509NameCmp(char **a, char **b)
-{
-    return(X509_NAME_cmp((void*)*a, (void*)*b));
-}
-#else
 static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a, 
                                            const X509_NAME * const *b)
 {
     return(X509_NAME_cmp(*a, *b));
 }
-#endif
 
 static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
                                 server_rec *s, const char *file)
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index bb2933a15c..2b32706ed1 100644
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -277,9 +277,7 @@ static BIO_METHOD bio_filter_out_method = {
     bio_filter_out_ctrl,
     bio_filter_create,
     bio_filter_destroy,
-#ifdef OPENSSL_VERSION_NUMBER
-    NULL /* sslc does not have the callback_ctrl field */
-#endif
+    NULL
 };
 
 typedef struct {
@@ -531,9 +529,7 @@ static BIO_METHOD bio_filter_in_method = {
     NULL,                       /* ctrl is never called */
     bio_filter_create,
     bio_filter_destroy,
-#ifdef OPENSSL_VERSION_NUMBER
-    NULL /* sslc does not have the callback_ctrl field */
-#endif
+    NULL
 };
 
 
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index af1e77d11c..eaed7ae86f 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1671,11 +1671,8 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
          */
         pubkey = X509_get_pubkey(cert);
         rc = X509_CRL_verify(crl, pubkey);
-#ifdef OPENSSL_VERSION_NUMBER
-        /* Only refcounted in OpenSSL */
         if (pubkey)
             EVP_PKEY_free(pubkey);
-#endif
         if (rc <= 0) {
             ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
                          "Invalid signature on CRL");
diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c
index f8637af605..0a60f66ff9 100644
--- a/modules/ssl/ssl_engine_pphrase.c
+++ b/modules/ssl/ssl_engine_pphrase.c
@@ -109,11 +109,7 @@ static apr_file_t *readtty = NULL;
  */
 static server_rec *ssl_pphrase_server_rec = NULL;
 
-#ifdef SSLC_VERSION_NUMBER
-int ssl_pphrase_Handle_CB(char *, int, int);
-#else
 int ssl_pphrase_Handle_CB(char *, int, int, void *);
-#endif
 
 static char *pphrase_array_get(apr_array_header_t *arr, int idx)
 {
@@ -649,14 +645,8 @@ static int pipe_get_passwd_cb(char *buf, int length, char *prompt, int verify)
     return 0;
 }
 
-#ifdef SSLC_VERSION_NUMBER
-int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
-{
-    void *srv = ssl_pphrase_server_rec;
-#else
 int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
 {
-#endif
     SSLModConfigRec *mc;
     server_rec *s;
     apr_pool_t *p;
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index 34f33cf2a8..bdaa2fdb40 100644
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -944,7 +944,6 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer,
 static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
 {
     char *result = "NULL";
-#ifdef OPENSSL_VERSION_NUMBER
 #if (OPENSSL_VERSION_NUMBER >= 0x00908000)
     SSL_SESSION *pSession = SSL_get_session(ssl);
 
@@ -969,7 +968,6 @@ static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
             break;
         }
     }
-#endif
 #endif
     return result;
 }
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 5dcc65e90f..98c8eb94f1 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -194,7 +194,7 @@ typedef int ssl_algo_t;
 #define SSL_ALGO_ALL     (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC)
 #else
 #define SSL_ALGO_ALL     (SSL_ALGO_RSA|SSL_ALGO_DSA)
-#endif /* SSL_LIBRARY_VERSION */
+#endif
 
 #define SSL_AIDX_RSA     (0)
 #define SSL_AIDX_DSA     (1)
@@ -203,7 +203,7 @@ typedef int ssl_algo_t;
 #define SSL_AIDX_MAX     (3)
 #else
 #define SSL_AIDX_MAX     (2)
-#endif /* SSL_LIBRARY_VERSION */
+#endif
 
 
 /**
@@ -671,7 +671,7 @@ RSA         *ssl_callback_TmpRSA(SSL *, int, int);
 DH          *ssl_callback_TmpDH(SSL *, int, int);
 #ifndef OPENSSL_NO_EC
 EC_KEY      *ssl_callback_TmpECDH(SSL *, int, int);
-#endif /* SSL_LIBRARY_VERSION */
+#endif
 int          ssl_callback_SSLVerify(int, X509_STORE_CTX *);
 int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
 int          ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey);
diff --git a/modules/ssl/ssl_toolkit_compat.h b/modules/ssl/ssl_toolkit_compat.h
index a31258a609..69cfc25c03 100644
--- a/modules/ssl/ssl_toolkit_compat.h
+++ b/modules/ssl/ssl_toolkit_compat.h
@@ -20,15 +20,12 @@
 /**
  * @file ssl_toolkit_compat.h 
  * @brief this header file provides a compatiblity layer
- *        between OpenSSL and RSA sslc
  *
  * @defgroup MOD_SSL_TOOLKIT Toolkit
  * @ingroup  MOD_SSL
  * @{
  */
 
-#ifdef HAVE_OPENSSL
-
 /** OpenSSL headers */
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -181,115 +178,6 @@ typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*);
 #endif
 #endif
 
-#elif defined(HAVE_SSLC)
-
-#include <bio.h>
-#include <ssl.h>
-#include <err.h>
-#include <x509.h>
-#include <pem.h>
-#include <evp.h>
-#include <objects.h>
-#include <sslc.h>
-
-/** sslc does not support this function, OpenSSL has since 9.5.1 */
-#define RAND_status() 1
-
-/** sslc names this function a bit differently */
-#define CRYPTO_num_locks() CRYPTO_get_num_locks()
-
-#ifndef STACK_OF
-#define STACK_OF(type) STACK
-#endif
-
-#define MODSSL_BIO_CB_ARG_TYPE char
-#define MODSSL_CRYPTO_CB_ARG_TYPE char
-#define MODSSL_INFO_CB_ARG_TYPE SSL*
-#define MODSSL_CLIENT_CERT_CB_ARG_TYPE void
-#define MODSSL_PCHAR_CAST (char *)
-#define MODSSL_D2I_SSL_SESSION_CONST
-#define MODSSL_D2I_PrivateKey_CONST
-#define MODSSL_D2I_X509_CONST
-
-typedef int (modssl_read_bio_cb_fn)(char*,int,int);
-
-#define modssl_X509_verify_cert(c) X509_verify_cert(c, NULL)
-
-#define modssl_PEM_read_bio_X509(b, x, cb, arg) \
-   PEM_read_bio_X509(b, x, cb)
-
-#define modssl_PEM_X509_INFO_read_bio(b, x, cb, arg)\
-   PEM_X509_INFO_read_bio(b, x, cb)
-
-#define modssl_PEM_read_bio_PrivateKey(b, k, cb, arg) \
-   PEM_read_bio_PrivateKey(b, k, cb)
-
-#ifndef HAVE_SSL_SET_STATE
-#define SSL_set_state(ssl, state) /** XXX: should throw an error */
-#endif
-
-#define modssl_set_cipher_list(ssl, l) \
-   SSL_set_cipher_list(ssl, (char *)l)
-
-#define modssl_free free
-
-#ifndef PEM_F_DEF_CALLBACK
-#define PEM_F_DEF_CALLBACK PEM_F_DEF_CB
-#endif
-
-#if SSLC_VERSION_NUMBER < 0x2000
-
-#define X509_STORE_CTX_set_depth(st, d)    
-#define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate)
-#define X509_CRL_get_nextUpdate(x) ((x)->crl->nextUpdate)
-#define X509_CRL_get_REVOKED(x)    ((x)->crl->revoked)
-#define X509_REVOKED_get_serialNumber(xs) (xs->serialNumber)
-
-#define modssl_set_verify(ssl, verify, cb) \
-    SSL_set_verify(ssl, verify)
-
-#else /** SSLC_VERSION_NUMBER >= 0x2000 */
-
-#define CRYPTO_malloc_init R_malloc_init
-
-#define EVP_cleanup() 
-
-#endif /** SSLC_VERSION_NUMBER >= 0x2000 */
-
-typedef void (*modssl_popfree_fn)(char *data);
-
-#define sk_SSL_CIPHER_dup sk_dup
-#define sk_SSL_CIPHER_find(st, data) sk_find(st, (void *)data)
-#define sk_SSL_CIPHER_free sk_free
-#define sk_SSL_CIPHER_num sk_num
-#define sk_SSL_CIPHER_value (SSL_CIPHER *)sk_value
-#define sk_X509_num sk_num
-#define sk_X509_push sk_push
-#define sk_X509_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))
-#define sk_X509_value (X509 *)sk_value
-#define sk_X509_INFO_free sk_free
-#define sk_X509_INFO_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))
-#define sk_X509_INFO_num sk_num
-#define sk_X509_INFO_new_null sk_new_null
-#define sk_X509_INFO_value (X509_INFO *)sk_value
-#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data)
-#define sk_X509_NAME_free sk_free
-#define sk_X509_NAME_new sk_new
-#define sk_X509_NAME_num sk_num
-#define sk_X509_NAME_push(st, data) sk_push(st, (void *)data)
-#define sk_X509_NAME_value (X509_NAME *)sk_value
-#define sk_X509_NAME_ENTRY_num sk_num
-#define sk_X509_NAME_ENTRY_value (X509_NAME_ENTRY *)sk_value
-#define sk_X509_NAME_set_cmp_func sk_set_cmp_func
-#define sk_X509_REVOKED_num sk_num
-#define sk_X509_REVOKED_value (X509_REVOKED *)sk_value
-
-#else /** ! HAVE_OPENSSL && ! HAVE_SSLC */
-
-#error "Unrecognized SSL Toolkit!"
-
-#endif /* ! HAVE_OPENSSL && ! HAVE_SSLC */
-
 #ifndef modssl_set_verify
 #define modssl_set_verify(ssl, verify, cb) \
     SSL_set_verify(ssl, verify, cb)
diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c
index 2b6ad0ba8f..0360964c82 100644
--- a/modules/ssl/ssl_util.c
+++ b/modules/ssl/ssl_util.c
@@ -159,11 +159,8 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCert, EVP_PKEY *pKey)
                 break;
         }
     }
-#ifdef OPENSSL_VERSION_NUMBER
-    /* Only refcounted in OpenSSL */
     if (pFreeKey != NULL)
         EVP_PKEY_free(pFreeKey);
-#endif
     return t;
 }
 
@@ -338,18 +335,8 @@ STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7)
 static apr_thread_mutex_t **lock_cs;
 static int                  lock_num_locks;
 
-#ifdef HAVE_SSLC
-#if SSLC_VERSION_NUMBER >= 0x2000
-static int ssl_util_thr_lock(int mode, int type,
-                             char *file, int line)
-#else
-static void ssl_util_thr_lock(int mode, int type,
-                              char *file, int line)
-#endif
-#else
 static void ssl_util_thr_lock(int mode, int type,
                               const char *file, int line)
-#endif
 {
     if (type < lock_num_locks) {
         if (mode & CRYPTO_LOCK) {
@@ -358,14 +345,6 @@ static void ssl_util_thr_lock(int mode, int type,
         else {
             apr_thread_mutex_unlock(lock_cs[type]);
         }
-#ifdef HAVE_SSLC
-#if SSLC_VERSION_NUMBER >= 0x2000
-        return 1;
-    }
-    else {
-        return -1;
-#endif
-#endif
     }
 }
 
diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
index 62cd0de383..4373c4fff2 100644
--- a/modules/ssl/ssl_util_ssl.c
+++ b/modules/ssl/ssl_util_ssl.c
@@ -535,24 +535,11 @@ char *SSL_SESSION_id2sz(unsigned char *id, int idlen,
     *cp = NUL;
     return str;
 }
-
-/* sslc+OpenSSL compat */
-
 int modssl_session_get_time(SSL_SESSION *session)
 {
-#ifdef OPENSSL_VERSION_NUMBER
     return SSL_SESSION_get_time(session);
-#else /* assume sslc */
-    CRYPTO_TIME_T ct;
-    SSL_SESSION_get_time(session, &ct);
-    return CRYPTO_time_to_int(&ct);
-#endif
 }
 
-#ifndef SSLC_VERSION_NUMBER
-#define SSLC_VERSION_NUMBER 0x0000
-#endif
-
 DH *modssl_dh_configure(unsigned char *p, int plen,
                         unsigned char *g, int glen)
 {
@@ -562,17 +549,12 @@ DH *modssl_dh_configure(unsigned char *p, int plen,
         return NULL;
     }
 
-#if defined(OPENSSL_VERSION_NUMBER) || (SSLC_VERSION_NUMBER < 0x2000)
     dh->p = BN_bin2bn(p, plen, NULL);
     dh->g = BN_bin2bn(g, glen, NULL);
     if (!(dh->p && dh->g)) {
         DH_free(dh);
         return NULL;
     }
-#else
-    R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_P, 0, p, plen, R_EITEMS_PF_COPY);
-    R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_G, 0, g, glen, R_EITEMS_PF_COPY);
-#endif
 
     return dh;
 }
diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h
index cabfb27c91..c56b5a0435 100644
--- a/modules/ssl/ssl_util_ssl.h
+++ b/modules/ssl/ssl_util_ssl.h
@@ -35,30 +35,13 @@
 #define __SSL_UTIL_SSL_H__
 
 /**
- * Determine SSL library version number
+ * SSL library version number
  */
-#define SSL_NIBBLE(x,n) ((x >> (n * 4)) & 0xF)
 
-#ifdef OPENSSL_VERSION_NUMBER
 #define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
 #define SSL_LIBRARY_NAME    "OpenSSL"
 #define SSL_LIBRARY_TEXT    OPENSSL_VERSION_TEXT
 #define SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
-#elif defined(SSLC_VERSION_NUMBER)
-#define SSL_LIBRARY_VERSION SSLC_VERSION_NUMBER
-#define SSL_LIBRARY_NAME    "SSL-C"
-#define SSL_LIBRARY_TEXT    { 'S', 'S', 'L', '-', 'C', ' ', \
-                              '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,3), '.', \
-                              '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,2), '.', \
-                              '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,1), '.', \
-                              '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,0), 0 }
-#define SSL_LIBRARY_DYNTEXT SSLC_library_info(SSLC_INFO_VERSION)
-#elif !defined(SSL_LIBRARY_VERSION)
-#define SSL_LIBRARY_VERSION 0x0000
-#define SSL_LIBRARY_NAME    "OtherSSL"
-#define SSL_LIBRARY_TEXT    "OtherSSL 0.0.0 00 XXX 0000"
-#define SSL_LIBRARY_DYNTEXT "OtherSSL 0.0.0 00 XXX 0000"
-#endif
 
 /**
  *  Maximum length of a DER encoded session.
@@ -92,7 +75,6 @@ BOOL        SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const c
 int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *);
 char       *SSL_SESSION_id2sz(unsigned char *, int, char *, int);
 
-/** util functions for OpenSSL+sslc compat */
 int modssl_session_get_time(SSL_SESSION *session);
 
 DH *modssl_dh_configure(unsigned char *p, int plen,
diff --git a/support/ab.c b/support/ab.c
index f1ccd678cf..ed3b265279 100644
--- a/support/ab.c
+++ b/support/ab.c
@@ -156,25 +156,8 @@
 #include "ap_config_auto.h"
 #endif
 
-#if defined(HAVE_SSLC)
+#if defined(HAVE_OPENSSL)
 
-/* Libraries for RSA SSL-C */
-#include <rsa.h>
-#include <x509.h>
-#include <pem.h>
-#include <err.h>
-#include <ssl.h>
-#include <r_rand.h>
-#include <sslc.h>
-#define USE_SSL
-#define RSAREF
-#define SK_NUM(x) sk_num(x)
-#define SK_VALUE(x,y) sk_value(x,y)
-typedef STACK X509_STACK_TYPE;
-
-#elif defined(HAVE_OPENSSL)
-
-/* Libraries on most systems.. */
 #include <openssl/rsa.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>