[squid-dev] OpenSSL 1.1 regression

Ingo Schwarze schwarze at usta.de
Thu May 18 15:34:46 UTC 2017 

Hi,

Alex Rousskov wrote on Thu, May 18, 2017 at 09:05:29AM -0600:
> On 05/18/2017 05:12 AM, Christos Tsantilas wrote:

>> Agrr... Using the openSSL version was the faster/easier way. Touching
>> autoconf may result to 2-3 full squid rebuilds to implement/test similar
>> fixes.

> The alternative is to convince others that Squid will not support
> OpenSSL API implementations that lie about their OpenSSL API version.
> Judging by the time wasted on related discussions about API basics, I
> suspect it would be cheaper, in the long term, to use feature tests.

In general, using feature tests is also the cleaner and more
reliable way of dealing with API variations.

By definition, inspecting library version numbers only works

 - for one specific implementation:
   If somebody else does an alternative implementation, they have
   the choice of (1) not defining the foreign version number at all -
   which will result in catastrophic breakage in application
   software inspecting it - or (2) defining a very low number -
   which will result in such software not using available features -
   or (3) defining a very high number - which will result in such
   software to try and use unavailable features - or (4) slavishly
   follow the API development path of the older implementation,
   which defeats part of the purpose of an alternative implementation,
   because that precludes all of the following: earlier addition
   of good interfaces that the older implementation only added
   later; removal of dangerous interfaces that you don't want to
   support; postponing the addition of new interfaces added in the
   older implementation that you don't have the time yet to implement
   properly, or that you consider less important.

 - as long as that implementation does not change the API again:
   If they do change the API back later, you have to touch all your
   application code again and adjust all related version number
   checks.

So while checking version numbers may sometimes look like the easiest
and quickest way to get an issue out of the way, it is not very
sustainable in the long run, and avoiding it generally results in
better and more portable software, and in safer and ever easier
maintenance.

Thanks for caring!
  Ingo

P.S.
For me, it's now "back to lurking"...

More information about the squid-dev mailing list