[openssl-project] The problem of (implicit) relinking and changed behaviour

Viktor Dukhovni openssl-users at dukhovni.org
Sat Apr 14 20:46:56 UTC 2018

> On Apr 14, 2018, at 4:40 PM, Richard Levitte <levitte at openssl.org> wrote:
> Would you say that it's an application bug if it stumbles on a change
> in API behavior that isn't due to a bug fix?  (and even better, if it
> worked according to documentation?)

Negotiating a new version of TLS is not a change in API behaviour.  The
application asks for a TLS session (of no particular maximum version),
and it gets one that both the client library and the peer support.

I just tested posttls-finger compiled for 1.1.0 running with a 1.1.1
library against a TLS 1.2 server and it worked fine.

What version of OpenSSL is Postfix linked against on mta.openssl.org?
Care to upgrade it to 1.1.0 if not already?  Then replace the libraries
with the 1.1.1 versions?  I can then retest...

Running an MTA built for 1.1.0 against 1.1.1 libraries might be a reasonable
way to "eat our own dog food".


More information about the openssl-project mailing list