On 20 April 2015 at 15:33, Salz, Rich <rs...@akamai.com> wrote: > >Continuing with the problems of making structs opaque, currently the API > for querying the information about ciphers is quite weak. Only > >SSL_CIPHER_description provides access to data such as the key exchange > method, and parsing a string to obtain this information seems daft. We're > >missing API for: key exchange, authentication method, encryption > algorithm, MAC and the export flag. > > (Man, outlook makes it hard to NOT top-post. Sigh.) > > Since all of those are implied by the cipher spec, could we just have an > API to return the two-byte cipher identifier? (That would break if TLS 1.3 > moves to "a la carte" selection, but I doubt that will happen.) Export is > gone :) And what's the MAC if using an AEAD cipher like AES-GCM? > > Just returning the cipher id would mean every app needs to replicate the table that openssl already has, and keep it updated. Doesn't seem like a good plan to me. According to the current code in openssl the 'MAC' when using AES-GCM is AEAD - not ideal perhaps, but what we've got.
> > It's also worth noting that SSL_CIPHER_get_version and > SSL_CIPHER_description should probably be returning const char * not char *. > > Yes, is that a bug to backport or just fix in master, you think? > Changing the return type here should be binary compatible on any sane platform, but it might cause source incompatibilities. Cheers Rich.
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
