[PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function
Maxim Dounin
mdounin at mdounin.ru
Mon Jul 7 13:04:49 UTC 2014
Hello!
On Sun, Jul 06, 2014 at 07:16:44PM -0700, Piotr Sikora wrote:
> Hey Maxim,
>
> > I can't say I like this change - it introduces lots of code for no
> > real reason.
> >
> > And I don't think we should follow some arbitrarily set
> > "deprecated" flag introduced for an unknown reasons years ago and
> > still undocumented in the latest release (much like the
> > replacement function). Moreover, the RSA_generate_key() is still
> > used in OpenSSL's own codebase, as well as in multiple demos and
> > man pages.
>
> RSA_generate_key() is clearly marked as deprecated in the OpenSSL's
> documentation [1] and RSA_generate_key_ex() is documented on the same
> page.
It's marked as deprecated in master branch, but not in the latest
release. Try looking into the latest release docs, 1.0.1h -
doc/crypto/RSA_generate_key.pod doesn't even mention
RSA_generate_key_ex.
> I don't think we should blindly follow -DOPENSSL_NO_DEPRECATED and
> -DOPENSSL_NO_SSL_INTERN, but it's useful to find potential issues with
> existing code.
Sure, it can and likely will be helpful. In this particular case
the replacement code seems to be too long though. For
development needs, it will probably be enough to just return NULL
if OPENSSL_NO_DEPRECATED is defined.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list