[openssl-dev] OpenSSL 1.1.0-pre4 change in SSL_get_version() return value

Viktor Dukhovni openssl-users at dukhovni.org
Thu Mar 17 00:40:42 UTC 2016


> On Mar 16, 2016, at 6:44 PM, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
> 
>> Was the SSL_get_version() behavior changed on purpose in the Beta 1
>> release? This function used to return "TLSv1" when TLS v1.0 was used
>> while it is now in Beta 1 returning "TLSv1.0" for that case.
> 
> I missed this change in the review.  Sorry about that.  It should
> perhaps be reverted for beta2.  The reported version string for
> TLS 1.0 has been "TLSv1" since support for "TLS 1.0" was introduced.
> It should likely stay that way.

The commit in question consolidated disparate functions that all
converted TLS protocol versions to strings, alas not entirely
consistently.

The "TLSv1.0" style was used in "ciphers -v" to report the protocol
version that introduced the cipher, while "TLSv1" was used in most
other contexts.

I think it is reasonable to preserve the backwards compatible "TLSv1"
for the string protocol version, but do we also need to preserve the
"TLSv1.0" in ciphers(1) output?  If so, the code needs an exception
that can otherwise be avoided.

Is it OK to change the protocol version string reported by ciphers(1)
via SSL_CIPHER_get_version() by way of SSL_CIPHER_description()?

If absolutely necessary, we can retain the legacy nomenclature, but
I'm inclined to go with a change to the cipher variant, I don't think
that compatibility there is nearly as important.

-- 
	Viktor.


More information about the openssl-dev mailing list