<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 11/30/2017 5:41 AM, Michael Wojcik
wrote:<br>
<blockquote type="cite">
<pre wrap="">There are a great many OpenSSL consumers. Making radical changes to the default behavior of the API would break many applications - and so it's likely those applications would stop updating their OpenSSL builds.</pre>
</blockquote>
<br>
Yes, compatibility is a concern. So make the "default to secure"
options be new functions.<br>
<br>
<blockquote type="cite">
<pre wrap="">If the application is well-written, the user doesn't need the application source now. If the application isn't well-written, being able to change "settings" is not one of your bigger problems.</pre>
</blockquote>
<br>
You really think that most applications handle all this stuff
right? See below.<br>
<br>
</div>
<blockquote type="cite"
cite="mid:B550B44BF8AF314BB00C4E2AC1C1808801A9ADF474@prvxmb03.microfocus.com">
<blockquote type="cite">
<pre wrap="">Looking at it another way: browsers manage to do it...
</pre>
</blockquote>
<pre wrap="">Manage to do what, exactly? And how are browsers a good model for the vast range of OpenSSL applications? They're just one type of client that nearly always uses a very particular PKI model.
</pre>
</blockquote>
<br>
Manage to make reasonably secure connections with a minimum of user
hassle.<br>
<br>
Is it really right that a basic client (from the O'Reilly book) is
over 300 lines long? (client3.c, common.c, reentrant.c)<br>
<br>
But the really dangerous thing is that if you miss a step, what you
get is a silently insecure connection rather than a failure.<br>
<br>
Do you really like having OpenSSL featured in papers like this?<br>
<a moz-do-not-send="true"
href="http://crypto.stanford.edu/%7Edabo/pubs/abstracts/ssl-client-bugs.html">The
most dangerous code in the world: validating SSL certificates in
non-browser software</a><br>
<pre class="moz-signature" cols="72">
--
Jordan Brown, Oracle Solaris</pre>
</body>
</html>