> Thank you for pointing this out, I missed it in my brief look of the code. > To me, this is reason enough to move to 1.0.2 (in addition to all the > other reasons given by you and Nenad). > > I¹ll start prototyping the code using 1.0.2.
Agreed. What I would also urge is to not use any openssl internals at all. We already have a few forward compatibility issues with openssl (haproxy linked with -DOPENSSL_NO_SSL_INTERN against current stable openssl or linking against the openssl 1.1.0 branch). Openssl 1.1.0 is expected to be released by the end of 2015, we should try hard to not introduce new compatibility issues - which mostly comes from accessing openssl internals. Of course we can't predict API breakage, but we do already know that direct access to internal APIs will no longer be possible. Thanks for this work, Dave, its much appreciated! Regards, Lukas