Re: OpenSSL 1.0.1 released

Wed, 14 Mar 2012 11:59:47 -0700 

On Wed, 2012-03-14 at 19:36 +0100, Dr. Stephen Henson wrote: 
> On Wed, Mar 14, 2012, Mike Frysinger wrote:
> 
> > On Wednesday 14 March 2012 14:25:32 Dr. Stephen Henson wrote:
> > > On Wed, Mar 14, 2012, Mike Frysinger wrote:
> > > > On Wednesday 14 March 2012 11:09:22 OpenSSL wrote:
> > > > >    OpenSSL version 1.0.1 released
> > > > >    ===============================
> > > > >    
> > > > >        http://www.openssl.org/source/exp/CHANGES.
> > > > >    
> > > > >    The most significant changes are:
> > > > >       o TLS/DTLS heartbeat support.
> > > > >       o SCTP support.
> > > > >       o RFC 5705 TLS key material exporter.
> > > > >       o RFC 5764 DTLS-SRTP negotiation.
> > > > >       o Next Protocol Negotiation.
> > > > >       o PSS signatures in certificates, requests and CRLs.
> > > > >       o Support for password based recipient info for CMS.
> > > > >       o Support TLS v1.2 and TLS v1.1.
> > > > >       o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
> > > > >       o SRP support.
> > > > 
> > > > i don't see mention of ABI compat changes, and it seems to not be
> > > > compatible. did someone forget to update the version string in
> > > > crypto/opensslv.h ?  it still says "1.0.0" ...
> > > 
> > > Can you be more specific about "seems to not be compatible".
> > 
> > if the versions were compatible, there should be no warning when running 
> > apps 
> > with openssl-1.0.1 that were built against openssl-1.0.0*.  but there is:
> >     OpenSSL version mismatch. Built against 1000005f, you have 1000100f
> 
> What is producing that warning?

This is a problem of the applications (OpenSSH, postgresql,....) that do
not expect different versions of openssl to be ABI compatible. They
compare the version that they were compiled against to the version
reported by the library. They usually ignore only the patch level number
(abcde...). We had to patch the version number in the library to stay
constant. I suppose these applications should have the version check
removed as it is not guaranteed to work anyway as the ABI of openssl
depends also on the compiled-in ciphers and other compile time options.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to