Note that it doesn't entirely fix the regressions observed in #5661. It will remain in WIP until #5661 isn't an issue any more.

SSL_CTX_new() to SSL_CTX_new_111()

I'm wondering whether we could use symbol versioning to do this same thing? It wouldn't work on platforms without symbol versioning though.

This requires a special-built 1.1.1 library which seems to defeat the purpose. Can this library be used for both 1.3 and earlier protocol versions?

I think that simply not enabling 1.3 by default is much easier to understand.

This requires a special-built 1.1.1 library which seems to defeat the purpose.

Uhmmm, no, no special building should be required. If you're thinking about OPENSSL_DISABLE_TLSv13, all it does is decide if SSL_CTX_new() gets redirected to SSL_CTX_new_111() or not.

I'm wondering whether we could use symbol versioning to do this same thing? It wouldn't work on platforms without symbol versioning though.

We could, but as you said, this isn't universally available, so we'll get the pleasure of maintaining two ways of doing this instead of just one. I'm not at all keen to do this.

This requires a special-built 1.1.1 library which seems to defeat the purpose.

No. The same library would be able to support pre-1.1.1 apps and 1.1.1 apps. If an app was compiled against 1.1.0 headers but run against the 1.1.1 library then it will get a maximum of TLSv1.2. Apps compiled against the 1.1.1 headers would get TLSv1.3 by default unless you build the app with OPENSSL_DISABLE_TLSv13 defined, e.g. gcc -DOPENSSL_DISABLE_TLSv13 myapp.c ...

I like this idea because it removes a significant barrier to upgrading without removing TLSv1.3 being on-by-default.

So how about the internal API being called like this:

SSL_CTX_new_ex(..., int flags)
// or
SSL_CTX_new_ex(..., int minproto, int maxproto, int flags);

That seems more general purpose and future-proof. min or max can be "0" to mean lowest or highest supported by the library. And for 1.1.1 the highest should be explicitly set to 1.3

And, of course, that function needs to be documented.

So how about the internal API being called like this:

I was thinking about that myself, but actually I think it would be wrong to encourage people to hard code a maximum protocol version into their apps.

I was thinking about that myself, but actually I think it would be wrong to encourage people to hard code a maximum protocol version into their apps.

But maybe some of the other params you suggest would be ok.

It would not be wrong. There are special-cases where someone wants fine-grain control over which protocol version. The implementation is trivial

if (minproto!=0) SSL_CTX_set_min_protocol(...

In other words, we provide functions to allow is. This just makes it more convenient.

+1 to Rich's proposal.

I was thinking that this would be an interim solution. With OpenSSL 1.2.0, SSL_CTX_new_111() and the hackery to redirect SSL_CTX_new to it would simply be removed and SSL_CTX_new() would go back to normal.

How often would you expect that people would call SSL_CTX_new_ex with a minimum and maximum version other than 0?

With OpenSSL 1.2.0, SSL_CTX_new_111() and the hackery to redirect SSL_CTX_new to it would simply be removed and SSL_CTX_new() would go back to normal.

Agreed. I still think we should avoid version specific names These things have a tendency to stick around even when we don't plan them to. We should probably have a comment in the header saying something like "don't use this directly - always call SSL_CTX". Unless that is we go with Rich's proposal.

I think the new _ex routine will become more common. I do not know how often folks will want to clamp to specific versions. I think, for example, that this library should clamp to 1.3 so that 1.4 requires a recompile.

I also know that in my $DAYJOB we have many customers who want us to limit what versions we support.

I would like that this not get approved until we have more discussion. For example, I feel strongly that the full "ex" API is the way to go.

SSL_CTX_new_ex()

Note that we had previous related discussions in #2397 and #4848

I would like that this not get approved until we have more discussion. For example, I feel strongly that the full "ex" API is the way to go.

Sure. Either way, I would say that the regression situation is a release show stopper.

(I'll note, btw, that this simple move greatly improves the tests that failed in #5661. Not entirely, but quite a lot)

SSL_CTX_new_ex()

Note that we had previous related discussions in #2397 and #4848

PR #3761 is the fix for #2397, and it defines SSL_CTX_new_ex()
While I like @richsalz's idea of SSL_CTX_new_ex(), it makes changes such as #3761 more complicated to incorporate: do we add SSL_CTX_new_ex2() ?

That being said, there are ways to tag inputs to allow the number of inputs to expand without redefining the function each time (kinda like named arguments, but in C):

/* 
 * Use DONE to flag no more arguments, or redefine to include a count of
 * extra parameters
 */
#define SSL_CTX_NEW_DONE 0 
#define SSL_CTX_NEW_MIN_VERSION (1 | SSL_EX_TYPE_INT)
#define SSL_CTX_NEW_MAX_VERSION (2 | SSL_EX_TYPE_INT)
#define SSL_CTX_NEW_CACHE (3 | SSL_EX_TYPE_PTR)
#define SSL_CTX_FLAGS (4 | SSL_EX_TYPE_LONG)

SSL_CTX *SSL_CTX_new_ex(const SSL_METHOD *meth, ...)
ctx = SSL_CTX_new_ex(TLS_method(),
                     SSL_CTX_NEW_MIN_VERSION, TLS1_2_VERSION,
                     SSL_CTX_NEW_CACHE, session_cache,
                     SSL_CTX_NEW_DONE);
/* or */
SSL_CTX *SSL_CTX_new_ex(const SSL_METHOD *meth, int argc, ...)
ctx = SSL_CTX_new_ex(TLS_method(), 2,
                     SSL_CTX_NEW_MIN_VERSION, TLS1_2_VERSION,
                     SSL_CTX_NEW_CACHE, session_cache);

Edit: include a type in the argument type, so that unknown arguments can be ignored

Too late for now, but knowing in a library initialization function, what version the application was compiled with, might be useful.

That would require cooperation from the application, or exactly the kind of hackery this PR does...

Ah, you meant like that... That could be made part of this PR. I assume, btw, that the version passed to SSL_CTX_new_ver can be expressed as "the version we're building for", so it makes some kind of sense to have something like this:

/* Users should never call this function directly */
__owur SSL_CTX *SSL_CTX_new_ver(const SSL_METHOD *meth, int ver);
/* OPENSSL_DISABLE_TLSV1_3 is optional, defined by the user when building their programs */
#ifdef OPENSSL_DISABLE_TLS1_3
/*
 * TLSv1.3 is new in version 1.1.1, and behaves differently than earlier TLS versions.
 * When the user disables it to be able to compile older programs without having to
 * change them, we simply pretend that they build for a pre-1.1.1 version, i.e. 1.1.0
 */
# define SSL_CTX_new(meth) SSL_CTX_new_ver((meth), 0x10100000UL)
#else
# define SSL_CTX_new(meth) SSL_CTX_new_ver((meth), OPENSSL_VERSION_NUMBER)
#endif

Why do you keep using _ver ending when everything else has used _ex? :)

Why do you keep using _ver ending when everything else has used _ex? :)

1. I haven't yet (see the diff)
2. I followed the example.
3. Considering the purpose is small and well defined (_ex is more general purpose), it makes sense.

I'd like to suggest that we put this PR on hold until we determine whether any of this is necessary.

The discussion on openssl-project concluded that the solution in this PR isn't the right move, so I'm closing this. Further technical discussions should happen in #5944.