See below for a note regarding updating the version of OpenSSL
distributed with cygwin. I grabbed her test copy to see whether or not
curl was compatible. I was able to successfully test a simply HTTPS
download, so I assume it more or less works. However, I get the
following back from curl --version:

  curl 7.9.2 (i686-pc-cygwin) libcurl 7.9.2 (OpenSSL 0.9.6b)

But I have OpenSSL 0.9.6c installed now.

I vaguely recall that this has been discussed before on the curl mailing
list, but I'm wondering whether it needs revisiting. Shouldn't the
version of OpenSSL displayed be pulled from my local computer (at
run-time as opposed to compile time)? If the code already IS supposed to
be pulling from the local machine, then either the version number
compiled into the cygwin build of OpenSSL 0.9.6c is wrong (I suppose
anything's possible), or it's not quite working...

--Kevin

-----Original Message-----
From: Corinna Vinschen
Sent: Monday, January 14, 2002 5:26 AM

===================================================================
== ==
== IMPORTANT ==
== ==
===================================================================

I'm going to update OpenSSL from version 0.9.6b to version 0.9.6c
very soon now, probably next Sunday.

You as the maintainers of the packages who depend on OpenSSL should
check, if the existing binary packages will still run when I upgrade.

I'd like to ask you to check if your packages will still run
with an patchlevel upgrade of OpenSSL. Otherwise I'd suggest to
patch the code which checks the OpenSSL version (if any). The
version of OpenSSL is returned by the function SSLeay(). It returns
a hex number with the format

  MMNNFFPPS: M = major, N = minor, F = fix, p = patch, s = status.

Accordingly the release version 0.9.6b returns

  SSLeay() = 0x00090602f == 0 9 6 b and f=release

the release version 0.9.6c returns

  SSLeay() = 0x00090602f == 0 9 6 c f=release

Description is in `man 3 OPENSSL_VERSION_NUMBER'.

The situation in OpenSSH was, OpenSSH-3.0.2p1 unfortunately checks
for exact equality against the version number of OpenSSL which is
linked against:

  if ((SSLeay() != OPENSSL_VERSION_NUMBER)
    exit

The current CVS version of OpenSSH contains a patch which checks
for the version but w/o checking for the patch level:

  if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L)
    exit

I patched OpenSSH-3.0.2p1-4 so that it also uses that test. This
version will have no problem when I upgrade to OpenSSL-0.9.6c.

Please make sure that your package will still run next Sunday.
I'm not going to use a different name for the DLL since it's
not a version upgrade, just a patchlevel upgrade. The shared
libs on U*X systems would still use the same name either
(libcrypto.0.9.6.so, libssl.0.9.6.so).

The next point is, please check if your packages depend on either
the IDEA or the RC5 algorithms. If so, please rebuild w/o that
dependency.

Thanks,
Corinna
Received on 2002-01-15