[openssl-project] The problem of (implicit) relinking and changed behaviour

Richard Levitte levitte at openssl.org
Wed Apr 18 03:24:20 UTC 2018

In message <FE841B85-EC0C-4E5A-9C3C-3703A8B1990F at dukhovni.org> on Tue, 17 Apr 2018 14:32:37 -0400, Viktor Dukhovni <openssl-users at dukhovni.org> said:

openssl-users> > On Apr 17, 2018, at 2:15 PM, Richard Levitte <levitte at openssl.org> wrote:
openssl-users> > 
openssl-users> > Depends on what "the best thing you know to do" is.  In my mind,
openssl-users> > simply refusing to run as before because the new kid in town didn't
openssl-users> > like the environment (for example a cert that's perfectly valid for
openssl-users> > TLSv1.2 but invalid for TLSv1.3) it ended up in isn't "the best thing
openssl-users> > you know to do".
openssl-users> > 
openssl-users> > But I get you, your idea of "the best thing you know to do" is to run
openssl-users> > the newest protocol unconditionally unless the user / application says
openssl-users> > otherwise, regardless of if it's at all possible given the environment
openssl-users> > (like said cert).
openssl-users> If there were a non-negligible use of certificates that work with TLS 1.2,
openssl-users> and that (implementation bugs aside) can't work with TLS 1.3, I'd support
openssl-users> your position strongly.  As it stands, I think you're right in principle,
openssl-users> but not yet in practice.  If we find no show-stopper issues, we should
openssl-users> allow TLS 1.3 to happen.

The troublesome thing with "but not yet in practice" is that we won't
know before 1.1.1 is finally released and has been deployed in a
larger scale.  In my mind, that's too late.  So my view is much more
black and white, like is it at all possible that there will be
certificates or other "stuff" out there that will have libssl fail
setting up communication because TLSv1.3?  If the answer is yes, I
find it hard to ignore this.

openssl-users> I'm far more concerned about lingering middle-box issues, than about some
openssl-users> edge-case certificates...

There's that too, yeah.

Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-project mailing list