[openssl-dev] Proposed cipher changes for post-1.0.2
Steffen Nurpmeso
sdaoden at yandex.com
Sat Feb 14 21:00:29 UTC 2015
Hello,
"Dr. Stephen Henson" <steve at openssl.org> wrote:
|On Fri, Feb 13, 2015, Viktor Dukhovni wrote:
|> On Fri, Feb 13, 2015 at 11:59:13AM +0000, Salz, Rich wrote:
|>>> Some time ago, I had submitted a patch which allows administrators, but
|>>> most importantly OS distributors to set their own strings \
|>>> in the configuration
|>> And my intent is to pull this into master pretty soon.
|> We may not need a patch for this, I thought we were about to deprecate
|> OpenSSL_config() with its void return status and encourage folks
|Just clarification. The initialisation we're recommending I normally refer
|to as "config modules". NCONF is a more general API for configuration files.
I think an interesting question would be wether that configuration
API will eventually obsolete the direct function interface?
|Config modules were intended to be used for application setup so would
|be a good place to add a system cipher string instead of a \
|whole new mechanism.
|The only problem is that it would only work with application that supported
|config modules.
So break API compatibility and extend the mandatory
SSL_library_init() to incorporate the functionality of
CONF_modules_load_file(), introducing a SSL_library_free()
counterpart?
Or don't break compatibility and let SSL_library_init() internally
do OPENSSL_config() unless OPENSSL_INIT_DONT_LOAD_CONF is defined?
Or ditto but introduce a new SSL_library_init_with_conf() with an
SSL_library_free_with_conf(), too.
It will be very interesting to see how you will overcome that
deadlocked situation.
Have a nice weekend.
--steffen
More information about the openssl-dev
mailing list