Difference between revisions of "OpenSSL 1.1.0 Changes"

From OpenSSLWiki
Jump to: navigation, search
(Things that Broke in Qt)
Line 14: Line 14:
 
Here's what's broken in the dev branch of Qt when building openssl master as of 6 Feb 2015.
 
Here's what's broken in the dev branch of Qt when building openssl master as of 6 Feb 2015.
  
* DH - we were directly accessing p and q to set the DH params to primes embedded in Qt. We can probably replace this with SSL_CTX_set_dh_auto(ctx, 1)
+
* DH - we were directly accessing p and q to set the DH params to primes embedded in Qt. We can probably replace this with SSL_CTX_set_dh_auto(ctx, 1). Another option suggested by Steve Henson is to save the DHparams we're using at the moment then use d2i_DHparams to load them in. This is compatible with openssl versions that don't have the dh_auto option.
  
 
* ctx->cert_store - we were directly accessing the cert_store field of SSL_CTX. We can probably replace this with X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx)
 
* ctx->cert_store - we were directly accessing the cert_store field of SSL_CTX. We can probably replace this with X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx)

Revision as of 20:01, 7 February 2015

This is a parent page for discussion about API changes being done for OpenSSL version 1.1

The overall goal of this project is to make most data structures opaque to applications. This provides us with a number of benefits:

  • We can add fields without breaking binary compatibility
  • Applications are more robust and can be more assured about correctness
  • It helps us determine which (new) accessors and settors, for example, are needed

Please add sub-pages to discuss particular parts of the library has work progresses.

So far, the SSL library has mostly been made opaque. The old DES API has been removed.

Things that Broke in Qt

Here's what's broken in the dev branch of Qt when building openssl master as of 6 Feb 2015.

  • DH - we were directly accessing p and q to set the DH params to primes embedded in Qt. We can probably replace this with SSL_CTX_set_dh_auto(ctx, 1). Another option suggested by Steve Henson is to save the DHparams we're using at the moment then use d2i_DHparams to load them in. This is compatible with openssl versions that don't have the dh_auto option.
  • ctx->cert_store - we were directly accessing the cert_store field of SSL_CTX. We can probably replace this with X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx)
  • session->tlsext_tick_lifetime_hint - we were directly accessing the lifetime hint of the session. No replacement found.
  • cipher->valid - we were directly accessing the valid field of SSL_CIPHER. No replacement found.