"Salz, Rich via RT" <r...@openssl.org> wrote: |> So you want a separate "openssl-conf" package. Fine, then provide it and |> give an easy mechanism for applications to hook into it. |> And for users to be able to overwrite system defaults. |> But this has not that much to do with #3627. | |Yes it does. :) A newer simpler API that does what you want \ |seems exactly the way forward. Go for it.
You sound pretty good and done here.. Gratulations. [Laughter] Regarding the interface: back in 2011 i have started (only) writing a Python (grr) script, which had a really simple way of doing _any_ socket connection via class SaSo: # {{{ Sa[fe]So[cket] SSL and socket creation encapsulator The basic concept was that all you can do is def create_connection(serv, cafile=None, all_fingerprints=False): where serv is a class Service, class Service(Config.Section): that directly maps to a configuration type (shortened by doc) [service] uid = UID url = NAME proto = proto port = NUMBER upgrade-secure = BOOLEAN fetch-folders = mailbox, another-mailbox, ... options = protocol-dependend (comma separated list of options) So wether TLS or not you simply (err, conn) = SaSo.create_connection(serv) if err: return (intro + 'connect failure: ' + err, ESTAT_CONNECTION) print('@ ', intro, conn.pretty_addr, sep='', file=STDOUT) _maximally_ extended by (for non-initially secured transport) # Shall we try to upgrade to TLS (RFC 2595)? if self.service.upgrade_secure: resp = self._single('STLS') if not resp: self.error_append('\nServer does not seem to support secure ' + 'transport.\nYou need to disable the *upgrade-secure* ' + 'configuration setting.') return resp = SaSo.wrap_connection(self.conn) if resp is not None: self.error = 'failed to perform *upgrade-secure*: ' + resp return Cool, eh? S-postman.py was that thing. _That_ is in essence what i mean -- just think about the current Python urllib is it CVE-2014-9365: not even programmers that know do it the right way, how can you expect administrators and normal users to do so, even _if_ the software allows the necessary configuration. Nono. |I've said that adding new magic keywords is not something \ |we're going to do, and I've tried to explain the reasoning. \ | I am sorry that you don't like it. Despite that i continue to disagree _completely_. The other way around would be the right way to go for configuration, and if that doesn't work then the _library_ had to be adjusted. E.g. by splitting off a small config update package that updates cipher lists and whatever (i am really not an expert. Nor do i plan to become one) without the need to recompile OpenSSL. Cool. But you are not there yet, are you? :-) So please please, give us "MIN" and "MAX". Ciao, _______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev