[openssl-project] The problem of (implicit) relinking and changed behaviour

Richard Levitte levitte at openssl.org
Sat Apr 14 21:09:17 UTC 2018

In message <D371758F-1CB0-48E5-8590-48094B2A8EF8 at dukhovni.org> on Sat, 14 Apr 2018 16:46:56 -0400, Viktor Dukhovni <openssl-users at dukhovni.org> said:

openssl-users> > On Apr 14, 2018, at 4:40 PM, Richard Levitte <levitte at openssl.org> wrote:
openssl-users> > 
openssl-users> > Would you say that it's an application bug if it stumbles on a change
openssl-users> > in API behavior that isn't due to a bug fix?  (and even better, if it
openssl-users> > worked according to documentation?)
openssl-users> Negotiating a new version of TLS is not a change in API behaviour.  The
openssl-users> application asks for a TLS session (of no particular maximum version),
openssl-users> and it gets one that both the client library and the peer support.
openssl-users> I just tested posttls-finger compiled for 1.1.0 running with a 1.1.1
openssl-users> library against a TLS 1.2 server and it worked fine.

Does this answer the whole question, or do they just do the most basic
stuff that our public headers make available?

To put it another way, I would absolutely hate it if, after 1.1.1
(assuming that's what we go for) is released, people came back
screaming at us because their program toppled over or bailed out in a
virtual panic attack just because of a shared library upgrade.
I would prefer if we treated this with *certainties* rather than
*probabilities*, and for the moment, it feels like I'm being fed with
the latter rather than the former.

openssl-users> What version of OpenSSL is Postfix linked against on mta.openssl.org?
openssl-users> Care to upgrade it to 1.1.0 if not already?  Then replace the libraries
openssl-users> with the 1.1.1 versions?  I can then retest...

mta.openssl.org runs Ubuntu 16.04 and the as up to date packages as I
get.  I prefer to run things with vendor packages, so we have an easy
path for updates, and considering that's our central mail hub, I'm not
at all keen on potentially screwing things up there.

But tell you what, there's a test machine as well, which I did set up
specifically for trying this sort of thing.  I can certainly screw
around with all of that there.

openssl-users> Running an MTA built for 1.1.0 against 1.1.1 libraries
openssl-users> might be a reasonable way to "eat our own dog food".

Yeeeaaaahhh, ya know, I do believe in eating your own dog food, but
only to a level.  Central production machinery that we all depend on
is a big no-no in my admin brain.


Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-project mailing list