[openssl-dev] Proposed cipher changes for post-1.0.2

Steffen Nurpmeso sdaoden at yandex.com
Sat Feb 14 21:00:29 UTC 2015


Hello,

"Dr. Stephen Henson" <steve at openssl.org> wrote:
 |On Fri, Feb 13, 2015, Viktor Dukhovni wrote:
 |> On Fri, Feb 13, 2015 at 11:59:13AM +0000, Salz, Rich wrote:
 |>>> Some time ago, I had submitted a patch which allows administrators, but
 |>>> most importantly OS distributors to set their own strings \
 |>>> in the configuration

 |>> And my intent is to pull this into master pretty soon.

 |> We may not need a patch for this, I thought we were about to deprecate
 |> OpenSSL_config() with its void return status and encourage folks

 |Just clarification. The initialisation we're recommending I normally refer
 |to as "config modules". NCONF is a more general API for configuration files.

I think an interesting question would be wether that configuration
API will eventually obsolete the direct function interface?

 |Config modules were intended to be used for application setup so would
 |be a good place to add a system cipher string instead of a \
 |whole new mechanism.
 |The only problem is that it would only work with application that supported
 |config modules.

So break API compatibility and extend the mandatory
SSL_library_init() to incorporate the functionality of
CONF_modules_load_file(), introducing a SSL_library_free()
counterpart?
Or don't break compatibility and let SSL_library_init() internally
do OPENSSL_config() unless OPENSSL_INIT_DONT_LOAD_CONF is defined?
Or ditto but introduce a new SSL_library_init_with_conf() with an
SSL_library_free_with_conf(), too.
It will be very interesting to see how you will overcome that
deadlocked situation.
Have a nice weekend.

--steffen


More information about the openssl-dev mailing list