In message <877ep8s738....@fifthhorseman.net> on Sun, 15 Apr 2018 10:38:35 -0700, Daniel Kahn Gillmor <d...@fifthhorseman.net> said:
dkg> Ideally, the semantics of the OpenSSL API for *most* users of the dkg> library should be roughly "give me the best TLS session you can give". dkg> There's no breakage in that API if the underlying library suddenly dkg> starts negotiating TLS 1.3. I generally agree. dkg> An application which uses that API and then breaks because it got a dkg> version of TLS or a ciphersuite that it didn't expect is mis-using the dkg> API (or, is part of the test suite, which is actually testing the dkg> internals of the library it was built against and we should expect a dkg> failure if the library used is changed out from under it). Generally speaking, I don't necesseraly agree. If the use of an API is perfectly valid for the conditions a program was built for, and then suddenly breaks down because the new kid in town wanna play, I find it hard to call that mis-use. I would much rather have libssl do something along the lines of "oh, you're one of the old guys, let's use something that works for you". dkg> I'm all for making a breaking changes in the OpenSSL API to discourage dkg> use of bad/legacy API. That calls for a major version change (in OpenSSL versioning, that would be 1.2.0). I think we've all come to some kind of agreement that doing this isn't desirable at this point... Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ _______________________________________________ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project