<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 8 February 2015 at 00:19, Matt Caswell <span dir="ltr"><<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class=""><br>
<br>
On 07/02/15 14:41, Richard Moore wrote:<br>
><br>
><br>
</span><span class="">> On 3 February 2015 at 22:02, Rich Salz <<a href="mailto:rsalz@openssl.org">rsalz@openssl.org</a><br>
</span><div><div class="h5">> <mailto:<a href="mailto:rsalz@openssl.org">rsalz@openssl.org</a>>> wrote:<br>
><br>
> As we've already said, we are moving to making most OpenSSL data<br>
> structures opaque. We deliberately used a non-specific term. :)<br>
> As of Matt's commit of the other day, this is starting to happen<br>
> now. We know this will inconvenience people as some applications<br>
> no longer build. We want to work with maintainers to help them<br>
> migrate, as we head down this path.<br>
><br>
> We have a wiki page to discuss this effort. It will eventually include<br>
> tips on migration, application and code updates, and anything else the<br>
> community finds useful. Please visit:<br>
><br>
> <a href="http://wiki.openssl.org/index.php/1.1_API_Changes" target="_blank">http://wiki.openssl.org/index.php/1.1_API_Changes</a><br>
><br>
><br>
> I've documented what got broken in Qt by the changes so far. I've listed<br>
> the functions I think we can use instead where they exist, and those<br>
> where there does not appear to be a replacement.<br>
<br>
<br>
</div></div>On the wiki you say this:<br>
<br>
"cipher->valid - we were directly accessing the valid field of<br>
SSL_CIPHER. No replacement found."<br>
<br>
I'm just trying to work out why you need this? As far as I can tell from<br>
the code the only time valid isn't true is for cipher aliases ("ALL",<br>
"COMPLEMENTOFALL" etc)...but I thought these were only used as an<br>
SSL_CIPHER internally. E.g. if you call SSL_get_ciphers() then you only<br>
get valid ciphers I think??<br>
<br>
What scenario do you have where you are seeing ciphers that aren't valid?<br></blockquote><div><br></div><div>Excellent question. This is code I inherited, and I can't see a sane reason why the cipher might not be valid. I strongly suspect removing this bit of code is actually the right solution here. The code is at <a href="http://code.woboq.org/qt5/qtbase/src/network/ssl/qsslsocket_openssl.cpp.html#651">http://code.woboq.org/qt5/qtbase/src/network/ssl/qsslsocket_openssl.cpp.html#651</a></div><div><br></div><div>Maybe some edge case for things like the <span style="color:rgb(0,0,0);font-size:1em">TLS_FALLBACK_SCSV could have an effect, but even then I can't see how it would relevant to the code that's actually doing this.</span></div><div><span style="color:rgb(0,0,0);font-size:1em"><br></span></div><div><span style="color:rgb(0,0,0);font-size:1em">Cheers</span></div><div><span style="color:rgb(0,0,0);font-size:1em"><br></span></div><div><span style="color:rgb(0,0,0);font-size:1em">Rich.</span></div><div><span style="color:rgb(0,0,0);font-size:1em"><br></span></div><div><br></div><div> </div></div></div></div>