Hi, On Mon, Apr 21, 2014 at 12:24:30PM +0200, Steffan Karger wrote: > On 21-04-14 09:10, James Yonan wrote: > > For OpenSSL, this means to use TLSv1_(client|server)_method rather > > than SSLv23_(client|server)_method combined with SSL_OP_NO_x flags > > for specific TLS versions to disable. > > I'm not sure I understand the rationale behind this. If I don't specify > a minimum version, my maximum version changes to TLS 1.0? Could you > maybe explain the "why" for this patch?
"turn it off!", without introducing yet another config directive (or,
more precisely, "do not turn it on by default" if I read the patch right).
There seem to be some not-yet-fully-understood combinations of OpenSSL
library versions/library builds that will break 2.3.3 clients <-> git-master
servers if the TLS version negotiation patch is active, so having a way
to turn it off at run-time (if only to see if that is the problem) is
certainly useful.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpuQmOvl63hz.pgp
Description: PGP signature
