Hi all, I know, my proposal is most likely against the OpenSSL policy to not change feature defaults within a branch. Nevertheless I ask here to consider breaking this policy for this one time here because I see this situation currently: we cant expect that Linux distros jump on the 0.9.9 / 1.0.0 train within the next 2-3 years since they seem to be always some versions or even branches behind for whatever compatiblity reasons. That means that although we have now Apache 2.2, lighthttpd, cURL and probably a lot of other products which are able to make use of tlsext for SNI, the enduser never gets this feature unless these products are build against GNUTLS or NSS. It seems that only very few Linux distros - if at all - provide OpenSSL packages compiled with tlsext. If the OpenSSL team whould change the default to enable tlsext that would signal that the OpenSSL team is confident that it works, and trusts their own code. AFAICT GNUTLS and NSS also provide SNI for longer by default already.
Günter. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
