Hi, This patch set is meant to remove ephemeral RSA support from the master branch, and disable (weak) export ciphers by default. While coding I came along some other stuff I fixed along the way:
1/6: Update two old calls to TSLv1*() functions to SSLv23*() function, matching the TLS negotiation changes. This patch should be applied to both release/2.3 and master branches. 2/6: Update debug output to match the TLS negatiotiation changes. This patch should be applied to both release/2.3 and master branches. 3/6: Make --show-tls parse information retrieved from --tls-cipher options, to ease debugging and configuration. I think this one belongs in both release/2.3 and master too. 4/6: Remove the ephemeral RSA key generation callback, as discussed on the mailinglist. This patch is for master only. 5/6: Preparation for 6/6, makes tls_ctx_restrict_ciphers accept a NULL pointer for the cipher_list parameter, in which case it will use default settings (which for now is 'do nothing'). This one could go into release/2.3, because it doesn't really change anything, but is not really needed there as 6/6 is master-only. 6/6: Disable export ciphers for OpenSSL builds. This is to avoid confusion, because otherwise the export ciphers that require ephemeral RSA would still be printed by --show-tls. Furthermore, export cipher are deliberately weak and much better alternatives are available. This patch is for master only. I've tried to exhaustively comment on the changes in the commit messages, but if there are any remaining questions I'm happy to answer them. -Steffan