[openssl-dev] Missing API features

Salz, Rich rsalz at akamai.com
Mon Apr 20 14:33:55 UTC 2015


>Continuing with the problems of making structs opaque, currently the API for querying the information about ciphers is quite weak. Only >SSL_CIPHER_description provides access to data such as the key exchange method, and parsing a string to obtain this information seems daft. We're >missing API for: key exchange, authentication method, encryption algorithm, MAC and the export flag.

(Man, outlook makes it hard to NOT top-post.  Sigh.)

Since all of those are implied by the cipher spec, could we just have an API to return the two-byte cipher identifier?  (That would break if TLS 1.3 moves to "a la carte" selection, but I doubt that will happen.)  Export is gone :)  And what's the MAC if using an AEAD cipher like AES-GCM?

> It's also worth noting that SSL_CIPHER_get_version and SSL_CIPHER_description should probably be returning const char * not char *.

Yes, is that a bug to backport or just fix in master, you think?

--  
Senior Architect, Akamai Technologies
IM: richsalz at jabber.at Twitter: RichSalz



More information about the openssl-dev mailing list