Describe bug in DEFAULT "cipher string" behavior#5455
Describe bug in DEFAULT "cipher string" behavior#5455AloisMahdal wants to merge 1 commit intoopenssl:masterfrom AloisMahdal:default_as_bugs
Conversation
|
Probably a better alternative to #5428, this describes the |
doc/man1/ciphers.pod
Outdated
There was a problem hiding this comment.
+ECDH does not enable ECDH ciphers, it just moves them to the end. Just "ECDH" would add them, but the !COMPLEMENTOFDEFAULT doesn't allow adding any ciphers not in DEFAULT.
There was a problem hiding this comment.
Nice catch. I'll fix it in a sec. (See below for comment about the !)
|
This probably does not have direc bearing on this PR, but I just realized that the original definition of
This allows two ways to understand:
So far I've read it as (A), but @kroeckx's comment seems to suggest (B). I'm not sure which one is it. (Haven't read what the code does.) |
Actual behavior of DEFAULT is different than currently described. Rather than acting as cipher string, DEFAULT cannot be combined using logical operators, etc. Fixes #5420.
It's (B). |
|
This version is confusing the non-BUGS and BUGS behaviours, putting everything in BUGS. The fact that DEFAULT is special, and can only be listed first is NOT a bug. The fact that "DEFAULTfoo" is treated the same as "DEFAULT:foo" is a BUG, that we might not fix, since it might break existing practice, |
|
So #5428 is closer to the right fix, but is "missing" the "BUGS" documentation, namely, funny syntax of "DEFFAULT+FOO", "DEFAULT-FOO", and "DEFAULTFOO", where these instead become: |
| This is determined at compile time and is normally | ||
| B<ALL:!COMPLEMENTOFDEFAULT:!eNULL>. | ||
| When used, this must be the first cipherstring specified. | ||
| B<ALL:!COMPLEMENTOFDEFAULT:!eNULL>. See BUGS section, though. |
There was a problem hiding this comment.
The BUGS section clarifies quite a bit, but some small part of could be transfered here, such as an added sentence, like:
Note that B<DEFAULT> isn't a cipher string like the others. It may only appear at the beginning of a cipher list and cannot be combined in an expression with anything else. See L</BUGS> for further explanations.
|
#5428 was merged in preference of this. Closing. |
Actual behavior of DEFAULT is different than currently described.
Rather than acting as cipher string, DEFAULT cannot be combined using
logical operators, etc.
Fixes #5420.
Checklist