[openssl-project] The problem of (implicit) relinking and changed behaviour
openssl-users at dukhovni.org
Sat Apr 14 21:19:09 UTC 2018
> On Apr 14, 2018, at 5:09 PM, Richard Levitte <levitte at openssl.org> wrote:
>> I just tested posttls-finger compiled for 1.1.0 running with a 1.1.1
>> library against a TLS 1.2 server and it worked fine.
> Does this answer the whole question, or do they just do the most basic
> stuff that our public headers make available?
No mere test constitutes a formal proof of correctness. I'm just saying
that compile-time 1.1.0 runs fine in routine SSL sessions with 1.1.1 as
the underlying library. The posttls-finger program is comparatively
sophisticated in its use of SSL, but by no means tests the entire API.
> To put it another way, I would absolutely hate it if, after 1.1.1
> (assuming that's what we go for) is released, people came back
> screaming at us because their program toppled over or bailed out in a
> virtual panic attack just because of a shared library upgrade.
When support for TLS 1.2 appeared in OpenSSL, some Postfix users ran
into some trouble, with middle-boxes or some such and had to cap the
TLS version at TLS 1.0. This happened some time between 1.0.0 and
1.0.2 IIRC, with the library ABI at 1.0. This is to be expected.
No matter what we do some users will upgrade their applications and/or
OpenSSL library and find that they run into some friction with TLS 1.3.
None of our work-arounds will make the problem go away. They'll just
have to deal with it.
> openssl-users> What version of OpenSSL is Postfix linked against on mta.openssl.org?
> openssl-users> Care to upgrade it to 1.1.0 if not already? Then replace the libraries
> openssl-users> with the 1.1.1 versions? I can then retest...
> But tell you what, there's a test machine as well, which I did set up
> specifically for trying this sort of thing. I can certainly screw
> around with all of that there.
A test machine would be great.
More information about the openssl-project