On Wed, Sep 19, 2018 at 6:56 AM Joe Orton <jor...@redhat.com> wrote: > On Wed, Sep 19, 2018 at 01:19:29PM +0200, Apache Lounge wrote: > > Are there examples what (maybe) does not work with OpenSSL 1.1.1 ? > > Have you run the test suite? The flipped setting of SSL_MODE_AUTO_RETRY > is expected to break TLSv1.2 as well, that problem is consistent with > the hangs Daniel reported here. >
Note this applies specifically to the timing and scope of httpd auth under TLS. > > openssl.org says that the new 1.1.1 is binary and API/ABI compatible > with > > OpenSSL 1.1.0. > > For some apps that might be true, I think it's a bit of a stretch, but > it's not really worth arguing about. > And note that 1.1.1a may address some deficiencies in 1.1.1 release w.r.t. compatibility. Although this specific one was asked-and-answered, with enough pushback from various projects, such defaults (at least for the behavior of TLS 1.2) may be reconsidered. +1 on the proposed statement.