Drop support for the RSA BSAFE SSL-C toolkit from configure,

and remove #ifdef'ed code from mod_ssl and ab where applicable. Consensus for dropping support for SSL/TLS toolkits other than OpenSSL was reached on dev@httpd in June 2010 (message with ID <20100602162310.GA11156@redhat.com> and follow-ups). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1154683 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2011-08-07 10:29:09 +00:00
parent f19d2caa4d
commit 1eb818742f
16 changed files with 72 additions and 343 deletions
--- a/3
+++ b/3
@@ -1,6 +1,9 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.3.15

+  *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
+     [Kaspar Brand]
+
  *) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the 
     cookie is set when modules such as mod_rewrite trigger a redirect. Also
     use r->err_headers_out for the cookie, for the same reason.  PR29755.
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -437,41 +437,32 @@ AC_DEFUN(APACHE_REQUIRE_CXX,[
 ])

 dnl
-dnl APACHE_CHECK_SSL_TOOLKIT
+dnl APACHE_CHECK_OPENSSL
 dnl
-dnl Configure for the detected openssl/ssl-c toolkit installation, giving
-dnl preference to "--with-ssl=<path>" if it was specified.
+dnl Configure for OpenSSL, giving preference to
+dnl "--with-ssl=<path>" if it was specified.
 dnl
-AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
-  AC_CACHE_CHECK([for SSL/TLS toolkit], [ac_cv_ssltk], [
+AC_DEFUN(APACHE_CHECK_OPENSSL,[
+  AC_CACHE_CHECK([for OpenSSL], [ac_cv_openssl], [
    dnl initialise the variables we use
-    ac_cv_ssltk=yes
-    ap_ssltk_found=""
-    ap_ssltk_base=""
-    ap_ssltk_libs=""
-    ap_ssltk_type=""
+    ac_cv_openssl=yes
+    ap_openssl_found=""
+    ap_openssl_base=""
+    ap_openssl_libs=""

-    dnl Determine the SSL/TLS toolkit's base directory, if any
-    AC_MSG_CHECKING([for user-provided SSL/TLS toolkit base])
-    AC_ARG_WITH(sslc, APACHE_HELP_STRING(--with-sslc=DIR,RSA SSL-C SSL/TLS toolkit), [
-      dnl If --with-sslc specifies a directory, we use that directory or fail
+    dnl Determine the OpenSSL base directory, if any
+    AC_MSG_CHECKING([for user-provided OpenSSL base directory])
+    AC_ARG_WITH(ssl, APACHE_HELP_STRING(--with-ssl=DIR,OpenSSL base directory), [
+      dnl If --with-ssl specifies a directory, we use that directory
      if test "x$withval" != "xyes" -a "x$withval" != "x"; then
        dnl This ensures $withval is actually a directory and that it is absolute
-        ap_ssltk_base="`cd $withval ; pwd`"
-      fi
-      ap_ssltk_type="sslc"
-    ])
-    AC_ARG_WITH(ssl, APACHE_HELP_STRING(--with-ssl=DIR,OpenSSL SSL/TLS toolkit), [
-      dnl If --with-ssl specifies a directory, we use that directory or fail
-      if test "x$withval" != "xyes" -a "x$withval" != "x"; then
-        dnl This ensures $withval is actually a directory and that it is absolute
-        ap_ssltk_base="`cd $withval ; pwd`"
+        ap_openssl_base="`cd $withval ; pwd`"
      fi
    ])
-    if test "x$ap_ssltk_base" = "x"; then
+    if test "x$ap_openssl_base" = "x"; then
      AC_MSG_RESULT(none)
    else
-      AC_MSG_RESULT($ap_ssltk_base)
+      AC_MSG_RESULT($ap_openssl_base)
    fi

    dnl Run header and version checks
@@ -480,19 +471,19 @@ AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
    saved_LDFLAGS="$LDFLAGS"
    SSL_LIBS=""

-    dnl Before doing anything else, load in pkg-config variables (if not sslc).
-    if test "x$ap_ssltk_type" = "x" -a -n "$PKGCONFIG"; then
+    dnl Before doing anything else, load in pkg-config variables
+    if test -n "$PKGCONFIG"; then
      saved_PKG_CONFIG_PATH="$PKG_CONFIG_PATH"
-      if test "x$ap_ssltk_base" != "x" -a \
-              -f "${ap_ssltk_base}/lib/pkgconfig/openssl.pc"; then
+      if test "x$ap_openssl_base" != "x" -a \
+              -f "${ap_openssl_base}/lib/pkgconfig/openssl.pc"; then
        dnl Ensure that the given path is used by pkg-config too, otherwise
        dnl the system openssl.pc might be picked up instead.
-        PKG_CONFIG_PATH="${ap_ssltk_base}/lib/pkgconfig${PKG_CONFIG_PATH+:}${PKG_CONFIG_PATH}"
+        PKG_CONFIG_PATH="${ap_openssl_base}/lib/pkgconfig${PKG_CONFIG_PATH+:}${PKG_CONFIG_PATH}"
        export PKG_CONFIG_PATH
      fi
-      ap_ssltk_libs="`$PKGCONFIG --libs-only-l openssl 2>&1`"
+      ap_openssl_libs="`$PKGCONFIG --libs-only-l openssl 2>&1`"
      if test $? -eq 0; then
-        ap_ssltk_found="yes"
+        ap_openssl_found="yes"
        pkglookup="`$PKGCONFIG --cflags-only-I openssl`"
        APR_ADDTO(CPPFLAGS, [$pkglookup])
        APR_ADDTO(INCLUDES, [$pkglookup])
@@ -502,105 +493,59 @@ AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[
      fi
      PKG_CONFIG_PATH="$saved_PKG_CONFIG_PATH"
    fi
-    if test "x$ap_ssltk_base" != "x" -a "x$ap_ssltk_found" = "x"; then
-      APR_ADDTO(CPPFLAGS, [-I$ap_ssltk_base/include])
-      APR_ADDTO(INCLUDES, [-I$ap_ssltk_base/include])
-      APR_ADDTO(LDFLAGS, [-L$ap_ssltk_base/lib])
-      APR_ADDTO(SSL_LIBS, [-L$ap_ssltk_base/lib])
+
+    dnl fall back to the user-supplied directory if not found via pkg-config
+    if test "x$ap_openssl_base" != "x" -a "x$ap_openssl_found" = "x"; then
+      APR_ADDTO(CPPFLAGS, [-I$ap_openssl_base/include])
+      APR_ADDTO(INCLUDES, [-I$ap_openssl_base/include])
+      APR_ADDTO(LDFLAGS, [-L$ap_openssl_base/lib])
+      APR_ADDTO(SSL_LIBS, [-L$ap_openssl_base/lib])
      if test "x$ap_platform_runtime_link_flag" != "x"; then
-        APR_ADDTO(LDFLAGS, [$ap_platform_runtime_link_flag$ap_ssltk_base/lib])
-        APR_ADDTO(SSL_LIBS, [$ap_platform_runtime_link_flag$ap_ssltk_base/lib])
+        APR_ADDTO(LDFLAGS, [$ap_platform_runtime_link_flag$ap_openssl_base/lib])
+        APR_ADDTO(SSL_LIBS, [$ap_platform_runtime_link_flag$ap_openssl_base/lib])
      fi
    fi
-    if test "x$ap_ssltk_type" = "x"; then
-      dnl First check for manditory headers
-      AC_CHECK_HEADERS([openssl/opensslv.h openssl/ssl.h], [ap_ssltk_type="openssl"], [])
-      if test "$ap_ssltk_type" = "openssl"; then
-        dnl so it's OpenSSL - test for a good version
-        AC_MSG_CHECKING([for OpenSSL version])
-        AC_TRY_COMPILE([#include <openssl/opensslv.h>],[
+
+    AC_MSG_CHECKING([for OpenSSL version])
+    AC_TRY_COMPILE([#include <openssl/opensslv.h>],[
 #if !defined(OPENSSL_VERSION_NUMBER)
-#error "Missing openssl version"
+#error "Missing OpenSSL version"
 #endif
 #if  (OPENSSL_VERSION_NUMBER < 0x009060af) \
 || ((OPENSSL_VERSION_NUMBER > 0x00907000) && (OPENSSL_VERSION_NUMBER < 0x0090702f))
 #error "Insecure openssl version " OPENSSL_VERSION_TEXT
 #endif],
-        [AC_MSG_RESULT(OK)],
-        [dnl Replace this with OPENSSL_VERSION_TEXT from opensslv.h?
-         AC_MSG_RESULT([not encouraging])
-         AC_MSG_WARN([OpenSSL version may contain security vulnerabilities!]
-                     [ Ensure the latest security patches have been applied!])
-        ])
-      else
-        AC_MSG_RESULT([no OpenSSL headers found])
-      fi
-    fi
-    if test "$ap_ssltk_type" != "openssl"; then
-      dnl Might be SSL-C - report, then test anything relevant
-      AC_CHECK_HEADERS([sslc.h], [ap_ssltk_type="sslc"], [ap_ssltk_type=""])
-      if test "$ap_ssltk_type" = "sslc"; then
-        ap_ssltk_libs="-lsslc"
-        AC_MSG_CHECKING([for SSL-C version])
-        AC_TRY_COMPILE([#include <sslc.h>],[
-#if !defined(SSLC_VERSION_NUMBER)
-#error "Missing SSL-C version"
-#endif
-#if SSLC_VERSION_NUMBER < 0x2310
-#define stringize_ver(x) #x
-#error "Insecure SSL-C version " stringize_ver(SSLC_VERSION_NUMBER)
-#endif],
-        [AC_MSG_RESULT(OK)],
-        [dnl Replace this with SSLC_VERSION_NUMBER?
-         AC_MSG_RESULT([not encouraging])
-         echo "WARNING: SSL-C version may contain security vulnerabilities!"
-         echo "         Ensure the latest security patches have been applied!"
-        ])
-      else
-        AC_MSG_RESULT([no SSL-C headers found])
-      fi
-    fi
-    if test "x$ap_ssltk_type" = "x"; then
-      ac_cv_ssltk="no"
-      AC_MSG_WARN([...No recognized SSL/TLS toolkit detected])
-    else
-      if test "$ap_ssltk_type" = "openssl" -a "x$ap_ssltk_found" = "x"; then
-        ap_ssltk_found="yes"
-        ap_ssltk_libs="-lssl -lcrypto `$apr_config --libs`"
-      fi
-      APR_ADDTO(SSL_LIBS, [$ap_ssltk_libs])
-      APR_ADDTO(LIBS, [$ap_ssltk_libs])
+      [AC_MSG_RESULT(OK)],
+      [dnl Replace this with OPENSSL_VERSION_TEXT from opensslv.h?
+       AC_MSG_RESULT([not encouraging])
+       AC_MSG_WARN([OpenSSL version may contain security vulnerabilities!]
+                   [ Ensure the latest security patches have been applied!])
+    ])
+
+    if test "x$ac_cv_openssl" = "xyes"; then
+      ap_openssl_libs="-lssl -lcrypto `$apr_config --libs`"
+      APR_ADDTO(SSL_LIBS, [$ap_openssl_libs])
+      APR_ADDTO(LIBS, [$ap_openssl_libs])
      APACHE_SUBST(SSL_LIBS)

      dnl Run library and function checks
      liberrors=""
-      if test "$ap_ssltk_type" = "openssl"; then
-        AC_CHECK_HEADERS([openssl/engine.h])
-        AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"])
-        AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines])
-      else
-        AC_CHECK_FUNCS([SSLC_library_version SSL_CTX_new], [], [liberrors="yes"])
-        AC_CHECK_FUNCS(SSL_set_state)
-      fi
-      dnl restore
-      CPPFLAGS="$saved_CPPFLAGS"
-      LIBS="$saved_LIBS"
-      LDFLAGS="$saved_LDFLAGS"
+      AC_CHECK_HEADERS([openssl/engine.h])
+      AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"])
+      AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines])
      if test "x$liberrors" != "x"; then
-        ac_cv_ssltk=no
-        AC_MSG_WARN([... Error, SSL/TLS libraries were missing or unusable])
+        ac_cv_openssl=no
+        AC_MSG_WARN([OpenSSL libraries are unusable])
      fi
    fi
-  ])

-  if test "x$ac_cv_ssltk" = "xyes" ; then
-    dnl Adjust apache's configuration based on what we found above.
-    dnl (a) define preprocessor symbols
-    if test "$ap_ssltk_type" = "openssl"; then
-      AC_DEFINE(HAVE_OPENSSL, 1, [Define if SSL is supported using OpenSSL])
-    else
-      AC_DEFINE(HAVE_SSLC, 1, [Define if SSL is supported using SSL-C])
-    fi
+    dnl restore
+    CPPFLAGS="$saved_CPPFLAGS"
+    LIBS="$saved_LIBS"
+    LDFLAGS="$saved_LDFLAGS"
+  ])
+  if test "x$ac_cv_openssl" = "xyes"; then
+    AC_DEFINE(HAVE_OPENSSL, 1, [Define if OpenSSL is available])
  fi
 ])

--- a/modules/ssl/README
+++ b/modules/ssl/README
@@ -98,7 +98,6 @@ MAJOR CHANGES
     the original SSLProxy* directives
 o per-directory SSLCACertificate{File,Path} is now thread-safe but
   requires SSL_set_cert_store patch to OpenSSL
- o RSA sslc is supported via ssl_toolkit_compat.h
 o the ssl_engine_{ds,ext}.c source files are obsolete and no longer
   exist

--- a/modules/ssl/config.m4
+++ b/modules/ssl/config.m4
@@ -44,8 +44,8 @@ ssl_util_ocsp.lo dnl
 "
 dnl #  hook module into the Autoconf mechanism (--enable-ssl option)
 APACHE_MODULE(ssl, [SSL/TLS support (mod_ssl)], $ssl_objs, , most, [
-    APACHE_CHECK_SSL_TOOLKIT
-    if test "$ac_cv_ssltk" = "yes" ; then
+    APACHE_CHECK_OPENSSL
+    if test "$ac_cv_openssl" = "yes" ; then
        APR_ADDTO(MOD_SSL_LDADD, [\$(SSL_LIBS)])
        CHECK_OCSP
        if test "x$enable_ssl" = "xshared"; then
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -250,14 +250,12 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
    /*
     * Try to kill the internals of the SSL library.
     */
-#ifdef HAVE_OPENSSL
 #if OPENSSL_VERSION_NUMBER >= 0x00907001
    /* Corresponds to OPENSSL_load_builtin_modules():
     * XXX: borrowed from apps.h, but why not CONF_modules_free()
     * which also invokes CONF_modules_finish()?
     */
    CONF_modules_unload(1);
-#endif
 #endif
    /* Corresponds to SSL_library_init: */
    EVP_cleanup();
@@ -292,19 +290,15 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
     * code can successfully test the SSL environment.
     */
    CRYPTO_malloc_init();
-#ifdef HAVE_OPENSSL
    ERR_load_crypto_strings();
-#endif
    SSL_load_error_strings();
    SSL_library_init();
 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
    ENGINE_load_builtin_engines();
 #endif
-#ifdef HAVE_OPENSSL
    OpenSSL_add_all_algorithms();
 #if OPENSSL_VERSION_NUMBER >= 0x00907001
    OPENSSL_load_builtin_modules();
-#endif
 #endif

    /*
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -895,7 +895,7 @@ static int ssl_server_import_key(server_rec *s,
    if (idx == SSL_AIDX_ECC)
      pkey_type = EVP_PKEY_EC;
    else
-#endif /* SSL_LIBRARY_VERSION */
+#endif
    pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA;

    if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) {
@@ -1265,18 +1265,11 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
    }
 }

-#ifdef SSLC_VERSION_NUMBER
-static int ssl_init_FindCAList_X509NameCmp(char **a, char **b)
-{
-    return(X509_NAME_cmp((void*)*a, (void*)*b));
-}
-#else
 static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a, 
                                           const X509_NAME * const *b)
 {
    return(X509_NAME_cmp(*a, *b));
 }
-#endif

 static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
                                server_rec *s, const char *file)
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -277,9 +277,7 @@ static BIO_METHOD bio_filter_out_method = {
    bio_filter_out_ctrl,
    bio_filter_create,
    bio_filter_destroy,
-#ifdef OPENSSL_VERSION_NUMBER
-    NULL /* sslc does not have the callback_ctrl field */
-#endif
+    NULL
 };

 typedef struct {
@@ -531,9 +529,7 @@ static BIO_METHOD bio_filter_in_method = {
    NULL,                       /* ctrl is never called */
    bio_filter_create,
    bio_filter_destroy,
-#ifdef OPENSSL_VERSION_NUMBER
-    NULL /* sslc does not have the callback_ctrl field */
-#endif
+    NULL
 };


--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1671,11 +1671,8 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
         */
        pubkey = X509_get_pubkey(cert);
        rc = X509_CRL_verify(crl, pubkey);
-#ifdef OPENSSL_VERSION_NUMBER
-        /* Only refcounted in OpenSSL */
        if (pubkey)
            EVP_PKEY_free(pubkey);
-#endif
        if (rc <= 0) {
            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
                         "Invalid signature on CRL");
--- a/modules/ssl/ssl_engine_pphrase.c
+++ b/modules/ssl/ssl_engine_pphrase.c
@@ -109,11 +109,7 @@ static apr_file_t *readtty = NULL;
 */
 static server_rec *ssl_pphrase_server_rec = NULL;

-#ifdef SSLC_VERSION_NUMBER
-int ssl_pphrase_Handle_CB(char *, int, int);
-#else
 int ssl_pphrase_Handle_CB(char *, int, int, void *);
-#endif

 static char *pphrase_array_get(apr_array_header_t *arr, int idx)
 {
@@ -649,14 +645,8 @@ static int pipe_get_passwd_cb(char *buf, int length, char *prompt, int verify)
    return 0;
 }

-#ifdef SSLC_VERSION_NUMBER
-int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify)
-{
-    void *srv = ssl_pphrase_server_rec;
-#else
 int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv)
 {
-#endif
    SSLModConfigRec *mc;
    server_rec *s;
    apr_pool_t *p;
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -944,7 +944,6 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer,
 static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
 {
    char *result = "NULL";
-#ifdef OPENSSL_VERSION_NUMBER
 #if (OPENSSL_VERSION_NUMBER >= 0x00908000)
    SSL_SESSION *pSession = SSL_get_session(ssl);

@@ -969,7 +968,6 @@ static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
            break;
        }
    }
-#endif
 #endif
    return result;
 }
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -194,7 +194,7 @@ typedef int ssl_algo_t;
 #define SSL_ALGO_ALL     (SSL_ALGO_RSA|SSL_ALGO_DSA|SSL_ALGO_ECC)
 #else
 #define SSL_ALGO_ALL     (SSL_ALGO_RSA|SSL_ALGO_DSA)
-#endif /* SSL_LIBRARY_VERSION */
+#endif

 #define SSL_AIDX_RSA     (0)
 #define SSL_AIDX_DSA     (1)
@@ -203,7 +203,7 @@ typedef int ssl_algo_t;
 #define SSL_AIDX_MAX     (3)
 #else
 #define SSL_AIDX_MAX     (2)
-#endif /* SSL_LIBRARY_VERSION */
+#endif


 /**
@@ -671,7 +671,7 @@ RSA         *ssl_callback_TmpRSA(SSL *, int, int);
 DH          *ssl_callback_TmpDH(SSL *, int, int);
 #ifndef OPENSSL_NO_EC
 EC_KEY      *ssl_callback_TmpECDH(SSL *, int, int);
-#endif /* SSL_LIBRARY_VERSION */
+#endif
 int          ssl_callback_SSLVerify(int, X509_STORE_CTX *);
 int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
 int          ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey);
--- a/modules/ssl/ssl_toolkit_compat.h
+++ b/modules/ssl/ssl_toolkit_compat.h
@@ -20,15 +20,12 @@
 /**
 * @file ssl_toolkit_compat.h 
 * @brief this header file provides a compatiblity layer
- *        between OpenSSL and RSA sslc
 *
 * @defgroup MOD_SSL_TOOLKIT Toolkit
 * @ingroup  MOD_SSL
 * @{
 */

-#ifdef HAVE_OPENSSL
-
 /** OpenSSL headers */
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -181,115 +178,6 @@ typedef int (modssl_read_bio_cb_fn)(char*,int,int,void*);
 #endif
 #endif

-#elif defined(HAVE_SSLC)
-
-#include <bio.h>
-#include <ssl.h>
-#include <err.h>
-#include <x509.h>
-#include <pem.h>
-#include <evp.h>
-#include <objects.h>
-#include <sslc.h>
-
-/** sslc does not support this function, OpenSSL has since 9.5.1 */
-#define RAND_status() 1
-
-/** sslc names this function a bit differently */
-#define CRYPTO_num_locks() CRYPTO_get_num_locks()
-
-#ifndef STACK_OF
-#define STACK_OF(type) STACK
-#endif
-
-#define MODSSL_BIO_CB_ARG_TYPE char
-#define MODSSL_CRYPTO_CB_ARG_TYPE char
-#define MODSSL_INFO_CB_ARG_TYPE SSL*
-#define MODSSL_CLIENT_CERT_CB_ARG_TYPE void
-#define MODSSL_PCHAR_CAST (char *)
-#define MODSSL_D2I_SSL_SESSION_CONST
-#define MODSSL_D2I_PrivateKey_CONST
-#define MODSSL_D2I_X509_CONST
-
-typedef int (modssl_read_bio_cb_fn)(char*,int,int);
-
-#define modssl_X509_verify_cert(c) X509_verify_cert(c, NULL)
-
-#define modssl_PEM_read_bio_X509(b, x, cb, arg) \
-   PEM_read_bio_X509(b, x, cb)
-
-#define modssl_PEM_X509_INFO_read_bio(b, x, cb, arg)\
-   PEM_X509_INFO_read_bio(b, x, cb)
-
-#define modssl_PEM_read_bio_PrivateKey(b, k, cb, arg) \
-   PEM_read_bio_PrivateKey(b, k, cb)
-
-#ifndef HAVE_SSL_SET_STATE
-#define SSL_set_state(ssl, state) /** XXX: should throw an error */
-#endif
-
-#define modssl_set_cipher_list(ssl, l) \
-   SSL_set_cipher_list(ssl, (char *)l)
-
-#define modssl_free free
-
-#ifndef PEM_F_DEF_CALLBACK
-#define PEM_F_DEF_CALLBACK PEM_F_DEF_CB
-#endif
-
-#if SSLC_VERSION_NUMBER < 0x2000
-
-#define X509_STORE_CTX_set_depth(st, d)    
-#define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate)
-#define X509_CRL_get_nextUpdate(x) ((x)->crl->nextUpdate)
-#define X509_CRL_get_REVOKED(x)    ((x)->crl->revoked)
-#define X509_REVOKED_get_serialNumber(xs) (xs->serialNumber)
-
-#define modssl_set_verify(ssl, verify, cb) \
-    SSL_set_verify(ssl, verify)
-
-#else /** SSLC_VERSION_NUMBER >= 0x2000 */
-
-#define CRYPTO_malloc_init R_malloc_init
-
-#define EVP_cleanup() 
-
-#endif /** SSLC_VERSION_NUMBER >= 0x2000 */
-
-typedef void (*modssl_popfree_fn)(char *data);
-
-#define sk_SSL_CIPHER_dup sk_dup
-#define sk_SSL_CIPHER_find(st, data) sk_find(st, (void *)data)
-#define sk_SSL_CIPHER_free sk_free
-#define sk_SSL_CIPHER_num sk_num
-#define sk_SSL_CIPHER_value (SSL_CIPHER *)sk_value
-#define sk_X509_num sk_num
-#define sk_X509_push sk_push
-#define sk_X509_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))
-#define sk_X509_value (X509 *)sk_value
-#define sk_X509_INFO_free sk_free
-#define sk_X509_INFO_pop_free(st, free) sk_pop_free((STACK*)(st), (modssl_popfree_fn)(free))
-#define sk_X509_INFO_num sk_num
-#define sk_X509_INFO_new_null sk_new_null
-#define sk_X509_INFO_value (X509_INFO *)sk_value
-#define sk_X509_NAME_find(st, data) sk_find(st, (void *)data)
-#define sk_X509_NAME_free sk_free
-#define sk_X509_NAME_new sk_new
-#define sk_X509_NAME_num sk_num
-#define sk_X509_NAME_push(st, data) sk_push(st, (void *)data)
-#define sk_X509_NAME_value (X509_NAME *)sk_value
-#define sk_X509_NAME_ENTRY_num sk_num
-#define sk_X509_NAME_ENTRY_value (X509_NAME_ENTRY *)sk_value
-#define sk_X509_NAME_set_cmp_func sk_set_cmp_func
-#define sk_X509_REVOKED_num sk_num
-#define sk_X509_REVOKED_value (X509_REVOKED *)sk_value
-
-#else /** ! HAVE_OPENSSL && ! HAVE_SSLC */
-
-#error "Unrecognized SSL Toolkit!"
-
-#endif /* ! HAVE_OPENSSL && ! HAVE_SSLC */
-
 #ifndef modssl_set_verify
 #define modssl_set_verify(ssl, verify, cb) \
    SSL_set_verify(ssl, verify, cb)
--- a/modules/ssl/ssl_util.c
+++ b/modules/ssl/ssl_util.c
@@ -159,11 +159,8 @@ ssl_algo_t ssl_util_algotypeof(X509 *pCert, EVP_PKEY *pKey)
                break;
        }
    }
-#ifdef OPENSSL_VERSION_NUMBER
-    /* Only refcounted in OpenSSL */
    if (pFreeKey != NULL)
        EVP_PKEY_free(pFreeKey);
-#endif
    return t;
 }

@@ -338,18 +335,8 @@ STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7)
 static apr_thread_mutex_t **lock_cs;
 static int                  lock_num_locks;

-#ifdef HAVE_SSLC
-#if SSLC_VERSION_NUMBER >= 0x2000
-static int ssl_util_thr_lock(int mode, int type,
-                             char *file, int line)
-#else
-static void ssl_util_thr_lock(int mode, int type,
-                              char *file, int line)
-#endif
-#else
 static void ssl_util_thr_lock(int mode, int type,
                              const char *file, int line)
-#endif
 {
    if (type < lock_num_locks) {
        if (mode & CRYPTO_LOCK) {
@@ -358,14 +345,6 @@ static void ssl_util_thr_lock(int mode, int type,
        else {
            apr_thread_mutex_unlock(lock_cs[type]);
        }
-#ifdef HAVE_SSLC
-#if SSLC_VERSION_NUMBER >= 0x2000
-        return 1;
-    }
-    else {
-        return -1;
-#endif
-#endif
    }
 }

--- a/modules/ssl/ssl_util_ssl.c
+++ b/modules/ssl/ssl_util_ssl.c
@@ -535,24 +535,11 @@ char *SSL_SESSION_id2sz(unsigned char *id, int idlen,
    *cp = NUL;
    return str;
 }
-
-/* sslc+OpenSSL compat */
-
 int modssl_session_get_time(SSL_SESSION *session)
 {
-#ifdef OPENSSL_VERSION_NUMBER
    return SSL_SESSION_get_time(session);
-#else /* assume sslc */
-    CRYPTO_TIME_T ct;
-    SSL_SESSION_get_time(session, &ct);
-    return CRYPTO_time_to_int(&ct);
-#endif
 }

-#ifndef SSLC_VERSION_NUMBER
-#define SSLC_VERSION_NUMBER 0x0000
-#endif
-
 DH *modssl_dh_configure(unsigned char *p, int plen,
                        unsigned char *g, int glen)
 {
@@ -562,17 +549,12 @@ DH *modssl_dh_configure(unsigned char *p, int plen,
        return NULL;
    }

-#if defined(OPENSSL_VERSION_NUMBER) || (SSLC_VERSION_NUMBER < 0x2000)
    dh->p = BN_bin2bn(p, plen, NULL);
    dh->g = BN_bin2bn(g, glen, NULL);
    if (!(dh->p && dh->g)) {
        DH_free(dh);
        return NULL;
    }
-#else
-    R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_P, 0, p, plen, R_EITEMS_PF_COPY);
-    R_EITEMS_add(dh->data, PK_TYPE_DH, PK_DH_G, 0, g, glen, R_EITEMS_PF_COPY);
-#endif

    return dh;
 }
--- a/modules/ssl/ssl_util_ssl.h
+++ b/modules/ssl/ssl_util_ssl.h
@@ -35,30 +35,13 @@
 #define __SSL_UTIL_SSL_H__

 /**
- * Determine SSL library version number
+ * SSL library version number
 */
-#define SSL_NIBBLE(x,n) ((x >> (n * 4)) & 0xF)

-#ifdef OPENSSL_VERSION_NUMBER
 #define SSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
 #define SSL_LIBRARY_NAME    "OpenSSL"
 #define SSL_LIBRARY_TEXT    OPENSSL_VERSION_TEXT
 #define SSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
-#elif defined(SSLC_VERSION_NUMBER)
-#define SSL_LIBRARY_VERSION SSLC_VERSION_NUMBER
-#define SSL_LIBRARY_NAME    "SSL-C"
-#define SSL_LIBRARY_TEXT    { 'S', 'S', 'L', '-', 'C', ' ', \
-                              '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,3), '.', \
-                              '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,2), '.', \
-                              '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,1), '.', \
-                              '0' + SSL_NIBBLE(SSLC_VERSION_NUMBER,0), 0 }
-#define SSL_LIBRARY_DYNTEXT SSLC_library_info(SSLC_INFO_VERSION)
-#elif !defined(SSL_LIBRARY_VERSION)
-#define SSL_LIBRARY_VERSION 0x0000
-#define SSL_LIBRARY_NAME    "OtherSSL"
-#define SSL_LIBRARY_TEXT    "OtherSSL 0.0.0 00 XXX 0000"
-#define SSL_LIBRARY_DYNTEXT "OtherSSL 0.0.0 00 XXX 0000"
-#endif

 /**
 *  Maximum length of a DER encoded session.
@@ -92,7 +75,6 @@ BOOL        SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const c
 int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, modssl_read_bio_cb_fn *);
 char       *SSL_SESSION_id2sz(unsigned char *, int, char *, int);

-/** util functions for OpenSSL+sslc compat */
 int modssl_session_get_time(SSL_SESSION *session);

 DH *modssl_dh_configure(unsigned char *p, int plen,
--- a/support/ab.c
+++ b/support/ab.c
@@ -156,25 +156,8 @@
 #include "ap_config_auto.h"
 #endif

-#if defined(HAVE_SSLC)
+#if defined(HAVE_OPENSSL)

-/* Libraries for RSA SSL-C */
-#include <rsa.h>
-#include <x509.h>
-#include <pem.h>
-#include <err.h>
-#include <ssl.h>
-#include <r_rand.h>
-#include <sslc.h>
-#define USE_SSL
-#define RSAREF
-#define SK_NUM(x) sk_num(x)
-#define SK_VALUE(x,y) sk_value(x,y)
-typedef STACK X509_STACK_TYPE;
-
-#elif defined(HAVE_OPENSSL)
-
-/* Libraries on most systems.. */
 #include <openssl/rsa.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>