Ken Hornstein wrote in <20190627175008.639987b...@pb-smtp21.pobox.com>:
|>Thinking about it, the "ext" in SSL_set_tlsext_host_name
|>could appear strange in five years from now.
|
|As opposed to the REST of the OpenSSL API? :-)
..seen that way.. But the problem is real:
#?0|kent:$ grep -ri
>Thinking about it, the "ext" in SSL_set_tlsext_host_name
>could appear strange in five years from now.
As opposed to the REST of the OpenSSL API? :-)
--Ken
--
nmh-workers
https://lists.nongnu.org/mailman/listinfo/nmh-workers
Ken Hornstein wrote in <20190627171410.ea24e7b...@pb-smtp21.pobox.com>:
|>I use that protected via
|>
|> #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
|I did see that ... but I also was worried that since OpenSSL makes no
|guarantees that this define will stick around in the future, depending
|on t
>I use that protected via
>
> #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
I did see that ... but I also was worried that since OpenSSL makes no
guarantees that this define will stick around in the future, depending
on that may come back to bite me. I'd rather simply just put it in
unconditionally and fo
Ken Hornstein wrote:
> When researching the issue Michael Richardson brought up today, it make
> me realize we really should be calling SSL_set_tlsext_host_name() so we
> send the TLS extension "server name indicator". Which is easy, it's
> literally one line of code. But that m
>That would make RHEL6 users, at least, sad:
>
>$ rpm -q openssl
>openssl-1.0.1e-57.el6.x86_64
>openssl-1.0.1e-57.el6.i686
I feel your pain since we use a lot of CentOS 6 at work, but you don't
have much longer to use it, right? I think support for it only goes
until next year, unless you pay for
Ken Hornstein wrote in <20190627150420.4ff107a...@pb-smtp21.pobox.com>:
|Everyone,
|
|When researching the issue Michael Richardson brought up today, it make
|me realize we really should be calling SSL_set_tlsext_host_name() so we
|send the TLS extension "server name indicator". Which is easy
Ken Hornstein writes:
> I think at this point we should consider OpenSSL
> 1.0.2 the minimum supported version of OpenSSL for nmh. This would
> guarantee we are doing TLS 1.2 everywhere and clean up some #ifdefs.
> Objections?
That would make RHEL6 users, at least, sad:
$ rpm -q openssl
openssl
>I think at this point we should consider OpenSSL
>1.0.2 the minimum supported version of OpenSSL for nmh. This would
>guarantee we are doing TLS 1.2 everywhere and clean up some #ifdefs.
>Objections?
One additional thing ... writing the code to check the version of
OpenSSL is a mild to moderate