On Mon, Dec 17, 2012 at 10:43:18AM -0800, Michael Elkins wrote:
On Wed, May 23, 2012 at 03:57:57PM -0400, Phil Pennock wrote:
Counter-intuitively, the OpenSSL folks have TLSv1_client_method()
negotiate *only* TLSv1.0, and SSLv23_client_method() remains the only
method which can negotiate different versions. This is true at least as
of 1.0.1c (the latest release at time of writing).
After poking around in the OpenSSL code, it looks like what you can
alternatively do is just use TLSv1_2_client_method() and openssl will
autonegotiate the highest TLSv1.x protocol supported by both client
and server.
So it turns out I was wrong, and the original patch was correct.
TLSv1_client_method() uses ssl3_connect() which does not honor the
SSL_OP_NO_TLS* flags.
See http://dev.mutt.org/trac/ticket/3612 for background.
