dropping support for openssl < 1.0

[mcr]

We have many #if stmts like:

#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)

which supports 1.0, and before, and let's people use old, broken SSL versions. I also found this confusing comment:

/* this method is currently only called for servers (in OpenSSL <= 0.9.8e) */
static SSL_SESSION *
#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)

is the comment even close to correct? I suspect not.
Are we supporting < 1.0 versions at all? Can we plan a sunset plan for 1.0.x?

[mcr]

also, re: LIBRESSL_VERSION_NUMBER. We never actually test it, just test that it isn't set, and I guess assume LIBRESSL is always new enough?

[rhenium]

v2.1.x, which master currently tracks, will support OpenSSL 1.0.1 and newer.

I'm not planning to drop support for OpenSSL 1.0.x at least in a few years. Many LTS Linux distros including Ubuntu 14.04 provide OpenSSL 1.0.1. OpenSSL 1.0.2 will still be supported even by the OpenSSL team until the end of 2019.

Those #ifs had to check LIBRESSL_VERSION_NUMBER because LibreSSL defines a wrong OPENSSL_VERSION_NUMBER even though it's mostly the same as OpenSSL 1.0.1. We will have to change them again when LibreSSL becomes compatible with OpenSSL 1.1.x, but I don't know when it will happen.

Regarding the comment, it is misleading and should be removed, though it's true that the function (ossl_sslctx_session_get_cb()) will only be called on the server side. I guess r12134 (GitHub mirror: ruby/ruby@a05e89c) added the phrase "in OpenSSL <= 0.9.8e" just because it was the latest release at that time.

[rhenium]

The comment is removed by 308c158.