On 8 February 2015 at 00:19, Matt Caswell <matt at openssl.org> wrote: > > > On 07/02/15 14:41, Richard Moore wrote: > > > > > > On 3 February 2015 at 22:02, Rich Salz <rsalz at openssl.org > > <mailto:rsalz at openssl.org>> wrote: > > > > As we've already said, we are moving to making most OpenSSL data > > structures opaque. We deliberately used a non-specific term. :) > > As of Matt's commit of the other day, this is starting to happen > > now. We know this will inconvenience people as some applications > > no longer build. We want to work with maintainers to help them > > migrate, as we head down this path. > > > > We have a wiki page to discuss this effort. It will eventually > include > > tips on migration, application and code updates, and anything else > the > > community finds useful. Please visit: > > > > http://wiki.openssl.org/index.php/1.1_API_Changes > > > > > > I've documented what got broken in Qt by the changes so far. I've listed > > the functions I think we can use instead where they exist, and those > > where there does not appear to be a replacement. > > > On the wiki you say this: > > "cipher->valid - we were directly accessing the valid field of > SSL_CIPHER. No replacement found." > > I'm just trying to work out why you need this? As far as I can tell from > the code the only time valid isn't true is for cipher aliases ("ALL", > "COMPLEMENTOFALL" etc)...but I thought these were only used as an > SSL_CIPHER internally. E.g. if you call SSL_get_ciphers() then you only > get valid ciphers I think?? > > What scenario do you have where you are seeing ciphers that aren't valid? > Excellent question. This is code I inherited, and I can't see a sane reason why the cipher might not be valid. I strongly suspect removing this bit of code is actually the right solution here. The code is at http://code.woboq.org/qt5/qtbase/src/network/ssl/qsslsocket_openssl.cpp.html#651 Maybe some edge case for things like the TLS_FALLBACK_SCSV could have an effect, but even then I can't see how it would relevant to the code that's actually doing this. Cheers Rich. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150208/4e0d6f52/attachment.html>
