[openssl-project] The problem of (implicit) relinking and changed behaviour
levitte at openssl.org
Sat Apr 14 20:40:11 UTC 2018
In message <44FE0745-31DF-41C3-B697-97025643CE32 at dukhovni.org> on Sat, 14 Apr 2018 16:24:56 -0400, Viktor Dukhovni <openssl-users at dukhovni.org> said:
openssl-users> > On Apr 14, 2018, at 4:18 PM, Richard Levitte <levitte at openssl.org> wrote:
openssl-users> >> Will real applications run into any meaningful problems?
openssl-users> > This is an argument that I find *terribly* frustrating. Are you
openssl-users> > suggesting that we have no test that tries to do what can be expect
openssl-users> > from a "real" application?
openssl-users> I am suggesting that we ignore test failures that test for rather
openssl-users> artificial conditions. If our test negotiates TLS with our own
openssl-users> server and tests that it got exactly TLS 1.2 (because that's the
openssl-users> highest version our test expected to support by default) that's an
openssl-users> artificial test, and its failure is fine.
Do all the tests do that, i.e. actually check that they got nothing
higher than TLSv1.2? This is an open question, I haven't dived enough
into the TLS stuff to know (but will next week unless someone can say
for sure). If that is the case, then I agree that it's quite
artificial. Otherwise, not so much.
openssl-users> Real applications that want no more than TLS 1.2 need
openssl-users> to set the max version, or not expect that maximum.
openssl-users> Anything else is an application bug.
Would you say that it's an application bug if it stumbles on a change
in API behavior that isn't due to a bug fix? (and even better, if it
worked according to documentation?)
openssl-users> Do we have any meaningful test failures that are not
openssl-users> artificial like the above? If so, we should fix them,
openssl-users> if not we possibly need more tests, but are otherwise
openssl-users> fine as best we know.
I disagree with us being fine, unless the possible issue I'm raising
can be disqualified with certainty.
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
More information about the openssl-project