Reflect special DEFAULT behavior in ciphers(1)#5428
Reflect special DEFAULT behavior in ciphers(1)#5428AloisMahdal wants to merge 1 commit intoopenssl:masterfrom AloisMahdal:default_as_pfx
DEFAULT behavior in ciphers(1)#5428Conversation
openssl-machine
added
the
hold: cla required
|
@AloisMahdal we need an individual CLA from you (we have a global corporate RedHat one). Thanks. |
|
(iCLA sent.) Note that this PR does not address directly the fact that |
|
See #5429 |
|
open/close to kick the CLA-bot. |
openssl-machine
removed
the
hold: cla required
|
How about this minor wording changes: |
|
Pretty close, but <-> is not a "combining" character, it is only special as the first character of a cipherlist element (-RC4) but clearly not in the middle (RC4-SHA). |
|
Updated:
|
richsalz
left a comment
richsalz
left a comment
There was a problem hiding this comment.
two minor changes. thanks for doing this. i will close mine.
doc/man1/ciphers.pod
Outdated
doc/man1/ciphers.pod
Outdated
There was a problem hiding this comment.
Unlike the cipher string ...
|
Thanks for feedback. (Need to read up something on usage of "the".) Updated: addded the's, re-wrapped and rebased on master. |
doc/man1/ciphers.pod
Outdated
doc/man1/ciphers.pod
Outdated
There was a problem hiding this comment.
s/Unlike the cipher string/Unlike other cipher strings/
There was a problem hiding this comment.
Wouldn't that imply DEFAULT is a cipher string? Because it's not... (at least that's what I'm trying to say)
doc/man1/ciphers.pod
Outdated
There was a problem hiding this comment.
s/valid cipher list/valid cipher string/
There was a problem hiding this comment.
Mind you, the real story is more subtle (back to the BUGS issue), since DEFAULT+FOO is surprisingly instead "DEFAULT:+FOO", which would put FOO last (for any value of FOO). So the users who specify "DEFAULT+FOO" do not get anything like what they probably intended. If that's described, then it goes into a BUGS section, and must not be described as a stable interface.
There was a problem hiding this comment.
Fixed the the. See below for comment on BUGS.
doc/man1/ciphers.pod
Outdated
Actual behavior of DEFAULT is different than currently described. Rather than actinf as cipher string, DEFAULT cannot be combined using logical operators, etc. Fixes #5420.
|
Fixed most issues (i was not sure about the the vs. other. Anyway, I agree with @vdukhovni that it's not a good idea to describe this as stable interface. I opened (yet) another PR #5455 where I described it as part of BUGS section (I added it following convention described in man-pages(7).) |
| See L<SSL_CTX_set_security_level> for a description of what each level means. | ||
|
|
||
| The cipher list can be prefixed with the B<DEFAULT> keyword, which enables | ||
| the default cipher list as defined below. Unlike the cipher string, |
There was a problem hiding this comment.
The text here really does need to change. The simplest change is from 'Unlike the' to 'Unlike other'. If you want to provide more detail, you could explain that all other cipher strings are "+" separated conjunctions (AND) of basic cipher strings, which represent a single cipher or class of ciphers sharing a common elementary property. The "DEFAULT" keywork is not such a cipher string, it is instead a built-in cipher list definition that can be a starting point for further refinement, but is not combinable with "+", and must come first.
There was a problem hiding this comment.
Re s/Unlike the/Unlike other/, the way things are expressed here, DEFAULT isn't a cipher string, but rather a prefix. Seen that way, 'other' would be wrong, wouldn't it? Although, I might want to see that changed to 'Unlike cipher strings, ...'
|
@AloisMahdal , @vdukhovni any update? |
|
Just English grammar nits in the docs. |
|
Actually, based on @vdukhovni's feedback I've opened also #5455, which takes another approach to solve this #5420 issue by describing the behavior in BUGS section. My hope is that the community will choose which approach is better and merge one PR and close the other. |
|
It seems that this is preferred to #5455. Please see @vdukhovni's commentary there to do some adjustments here. |
|
This PR seems to have gone stale. I could see this being approved with the following editorial fixup: diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
index 6da316db89..751518d1c2 100644
--- a/doc/man1/ciphers.pod
+++ b/doc/man1/ciphers.pod
@@ -157,9 +157,9 @@ level to B<n>, which should be a number between zero and five, inclusive.
See L<SSL_CTX_set_security_level> for a description of what each level means.
The cipher list can be prefixed with the B<DEFAULT> keyword, which enables
-the default cipher list as defined below. Unlike the cipher string,
+the default cipher list as defined below. Unlike cipher strings,
this prefix may not be combined with other strings using B<+> character.
-For example, B<DEFAULT+DES> is not a valid cipher string.
+For example, B<DEFAULT+DES> is not valid.
The content of the default list is determined at compile time and normally
corresponds to B<ALL:!COMPLEMENTOFDEFAULT:!eNULL>.What say @openssl? |
|
Yes, please, merge this with your change. +1 |
|
Merged into master with mentioned editorial changes. c190506 Reflect special |
Actual behavior of DEFAULT is different than currently described. Rather than actinf as cipher string, DEFAULT cannot be combined using logical operators, etc. Fixes #5420. Reviewed-by: Rich Salz <[email protected]> Reviewed-by: Richard Levitte <[email protected]> (Merged from #5428)
6 participants
Actual behavior of DEFAULT is different than currently described.
Rather than actinf as cipher string, DEFAULT cannot be combined using
logical operators, etc.
Fixes #5420.
Checklist