> On Feb 13, 2017, at 12:20 PM, Benjamin Kaduk <bka...@akamai.com> wrote:
> Perhaps a reasonable compromise would be to ensure that the -noservername 
> option is accepted (as a noop) in 1.1.0<letter>, so that there is a way to 
> write a script that remains compatible between 1.1.0 and 1.1.1 even if the 
> default does change.

We could add a "-ignore_unknown" option, which (if specified first)
would more generally allow the CLI to ignore attempts to use features
only available in later versions.  An environment variable could provide
another means to the same end.

That said, I don't think that enabling SNI by default *in s_client* is
sufficient cause to motivate such a feature.  The s_client command adds
new options from time to time, and IIRC we've never before back-ported
these as NOPs.  If an "ignore_unknown" option is warranted, it is for
all the other new things we might add in addition to "-noservername".

I'd be more concerned with potentially incompatible changes to cms(1),
enc(1), req(1), x509(1), ... which are the main day-to-day tools used
by users to get useful work done.  The s_client(1) and s_server(1)
commands are diagnostic utilities, and such it is reasonable to be
less strict w.r.t. reasonable behaviour changes.

We should still provide a backwards compatible interface, but that
does not preclude reasonable differences in the resulting behaviour.


openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to