[openssl-users] [openssl-dev] The evolution of the 'master' branch

Richard Moore richmoore44 at gmail.com
Sun Feb 8 01:11:31 UTC 2015

On 8 February 2015 at 00:19, Matt Caswell <matt at openssl.org> wrote:

> On 07/02/15 14:41, Richard Moore wrote:
> >
> >
> > On 3 February 2015 at 22:02, Rich Salz <rsalz at openssl.org
> > <mailto:rsalz at openssl.org>> wrote:
> >
> >     As we've already said, we are moving to making most OpenSSL data
> >     structures opaque. We deliberately used a non-specific term. :)
> >     As of Matt's commit of the other day, this is starting to happen
> >     now.  We know this will inconvenience people as some applications
> >     no longer build.  We want to work with maintainers to help them
> >     migrate, as we head down this path.
> >
> >     We have a wiki page to discuss this effort.  It will eventually
> include
> >     tips on migration, application and code updates, and anything else
> the
> >     community finds useful.  Please visit:
> >
> >             http://wiki.openssl.org/index.php/1.1_API_Changes
> >
> >
> > I've documented what got broken in Qt by the changes so far. I've listed
> > the functions I think we can use instead where they exist, and those
> > where there does not appear to be a replacement.
> On the wiki you say this:
> "cipher->valid - we were directly accessing the valid field of
> SSL_CIPHER. No replacement found."
> I'm just trying to work out why you need this? As far as I can tell from
> the code the only time valid isn't true is for cipher aliases ("ALL",
> "COMPLEMENTOFALL" etc)...but I thought these were only used as an
> SSL_CIPHER internally. E.g. if you call SSL_get_ciphers() then you only
> get valid ciphers I think??
> What scenario do you have where you are seeing ciphers that aren't valid?

Excellent question. This is code I inherited, and I can't see a sane reason
why the cipher might not be valid. I strongly suspect removing this bit of
code is actually the right solution here. The code is at

Maybe some edge case for things like the TLS_FALLBACK_SCSV could have an
effect, but even then I can't see how it would relevant to the code that's
actually doing this.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150208/4e0d6f52/attachment.html>

More information about the openssl-users mailing list