[openssl-users] OCSP_BASICRESP_verify() in 1.1.0

Wouter Verhelst wouter.verhelst at fedict.be
Thu Nov 2 13:41:05 UTC 2017

On 31-10-17 17:47, Matt Caswell wrote:
> On 31/10/17 16:42, Wouter Verhelst wrote:
>> On 31-10-17 17:26, Matt Caswell wrote:
>>> I agree its not a great name for it. Unfortunately we are stuck with it
>>> for compatibility reasons. If we renamed it we would break any code that
>>> is currently using it. We could introduce a new flag with a different
>>> name which does the same thing - but I'm not sure that does anything to
>>> make things less confusing.
>> You could always keep the old name around and mark it deprecated. GCC
>> even has a pragma for that -- __attribute__((deprecated)) -- although I
>> doubt it works on macros (haven't tested that).
>> I suppose it might be too much of an effort for too little gain, though.
> As a matter of policy we won't deprecate anything more until we do a
> 1.2.0 release.

That's a sensible policy, thanks.

> If someone wants to create a PR for a new name for this (defining the
> old one to point at the new one), then I'd review it. But if we're going
> to go to that effort then we should write the documentation as part of
> the PR (there seems little sense to me in replacing an undocumented name
> which you have to read the source to understand with another
> undocumented name that you also have to read the source to understand).

As I ran into this when reviewing how to do OCSP, but ended up not
needing it (I need normal path validation within a limited set of root
certificates), I might look into doing that if/when I find the time for
it some time soon.


Wouter Verhelst

More information about the openssl-users mailing list