> [openssl-dev@openssl.org - Wed Apr 25 00:33:54 2012]: > > Hi, > > 1.0.0 had this: > /* SSL_OP_ALL: various bug workarounds that should be rather harmless. > * This used to be 0x000FFFFFL before 0.9.7. */ > #define SSL_OP_ALL 0x80000FFFL > > 1.0.1 now has: > #define SSL_OP_NO_TLSv1_1 0x00000400L > #define SSL_OP_ALL 0x80000BFFL > > So that basicly means that applications build with the > 1.0.0 headers disable TLS v1.1 support. This causes a > problem talking to somethng that support TLS 1.1 but > doesn't support TLS 1.2. >
Which is a problem for OpenSSL clients which will advertise TLS 1.2 support then choke if the server tries TLS 1.1. OpenSSL servers should work though and end up negotiating TLS 1.0 if a client advertises support for TLS 1.1. > I suggest we change the value of SSL_OP_NO_TLSv1_1. > We have one bit left in the flags option so that could be done. Side effect of doing that is any application built againt OpenSSL 1.0.1 or 1.0.1a headers which has an option to set SSL_OP_NO_TLSv1_1 will have that turned into noop and will have to be recompiled for that to work. Presumably there are very few applications in that category? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org