In message <[email protected]> on Sat, 14 Apr 2018 16:24:56 -0400, Viktor Dukhovni <[email protected]> said:
openssl-users> openssl-users> openssl-users> > On Apr 14, 2018, at 4:18 PM, Richard Levitte <[email protected]> wrote: openssl-users> > openssl-users> >> Will real applications run into any meaningful problems? openssl-users> > openssl-users> > This is an argument that I find *terribly* frustrating. Are you openssl-users> > suggesting that we have no test that tries to do what can be expect openssl-users> > from a "real" application? openssl-users> openssl-users> I am suggesting that we ignore test failures that test for rather openssl-users> artificial conditions. If our test negotiates TLS with our own openssl-users> server and tests that it got exactly TLS 1.2 (because that's the openssl-users> highest version our test expected to support by default) that's an openssl-users> artificial test, and its failure is fine. Do all the tests do that, i.e. actually check that they got nothing higher than TLSv1.2? This is an open question, I haven't dived enough into the TLS stuff to know (but will next week unless someone can say for sure). If that is the case, then I agree that it's quite artificial. Otherwise, not so much. openssl-users> Real applications that want no more than TLS 1.2 need openssl-users> to set the max version, or not expect that maximum. openssl-users> Anything else is an application bug. Would you say that it's an application bug if it stumbles on a change in API behavior that isn't due to a bug fix? (and even better, if it worked according to documentation?) openssl-users> Do we have any meaningful test failures that are not openssl-users> artificial like the above? If so, we should fix them, openssl-users> if not we possibly need more tests, but are otherwise openssl-users> fine as best we know. I disagree with us being fine, unless the possible issue I'm raising can be disqualified with certainty. -- Richard Levitte [email protected] OpenSSL Project http://www.openssl.org/~levitte/ _______________________________________________ openssl-project mailing list [email protected] https://mta.openssl.org/mailman/listinfo/openssl-project
