On Fri, May 29, 2009, Guenter wrote: > Hi all, > I know, my proposal is most likely against the OpenSSL policy to not > change feature defaults within a branch. Nevertheless I ask here to > consider breaking this policy for this one time here because I see this > situation currently: > we cant expect that Linux distros jump on the 0.9.9 / 1.0.0 train within > the next 2-3 years since they seem to be always some versions or even > branches behind for whatever compatiblity reasons. That means that > although we have now Apache 2.2, lighthttpd, cURL and probably a lot of > other products which are able to make use of tlsext for SNI, the enduser > never gets this feature unless these products are build against GNUTLS > or NSS. It seems that only very few Linux distros - if at all - provide > OpenSSL packages compiled with tlsext. If the OpenSSL team whould change > the default to enable tlsext that would signal that the OpenSSL team is > confident that it works, and trusts their own code. > AFAICT GNUTLS and NSS also provide SNI for longer by default already. >
OpenSSL 0.9.8k and later already have TLS extensions enabled by default. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
