In message <> on Sun, 15 Apr 2018 10:38:35 
-0700, Daniel Kahn Gillmor <> said:

dkg> Ideally, the semantics of the OpenSSL API for *most* users of the
dkg> library should be roughly "give me the best TLS session you can give".
dkg> There's no breakage in that API if the underlying library suddenly
dkg> starts negotiating TLS 1.3.

I generally agree.

dkg> An application which uses that API and then breaks because it got a
dkg> version of TLS or a ciphersuite that it didn't expect is mis-using the
dkg> API (or, is part of the test suite, which is actually testing the
dkg> internals of the library it was built against and we should expect a
dkg> failure if the library used is changed out from under it).

Generally speaking, I don't necesseraly agree.  If the use of an API
is perfectly valid for the conditions a program was built for, and
then suddenly breaks down because the new kid in town wanna play,
I find it hard to call that mis-use.  I would much rather have libssl
do something along the lines of "oh, you're one of the old guys, let's
use something that works for you".

dkg> I'm all for making a breaking changes in the OpenSSL API to discourage
dkg> use of bad/legacy API.

That calls for a major version change (in OpenSSL versioning, that
would be 1.2.0).  I think we've all come to some kind of agreement
that doing this isn't desirable at this point...


Richard Levitte
OpenSSL Project
openssl-project mailing list

Reply via email to