I imagine I could figure this out by reading the source, but does the SM2 fix (the high-severity issue for OpenSSL 1.1.1l) apply to TLS using SMx (RFC 8998), or just to applications that use SM2 directly via the EVP API? It wasn't clear from the announcement, unless I missed something.
We'll be picking up 1.1.1l shortly, but I'd like to be able to clarify the situation for management and customers. -- Michael Wojcik
