[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[nmh-workers] Making OpenSSL 1.0.2 minimum version
From: |
Ken Hornstein |
Subject: |
[nmh-workers] Making OpenSSL 1.0.2 minimum version |
Date: |
Thu, 27 Jun 2019 11:04:16 -0400 |
Everyone,
When researching the issue Michael Richardson brought up today, it make
me realize we really should be calling SSL_set_tlsext_host_name() so we
send the TLS extension "server name indicator". Which is easy, it's
literally one line of code. But that makes me ask a larger question: we
have some autoconf goo to support older libraries (pre OpenSSL 1.0.2)
that didn't support the function X509_VERIFY_PARAM_set1_host(), and I
lack the energy to research if SSL_set_tlsext_host_name() exists in
pre-1.0.2 OpenSSL. I think at this point we should consider OpenSSL
1.0.2 the minimum supported version of OpenSSL for nmh. This would
guarantee we are doing TLS 1.2 everywhere and clean up some #ifdefs.
Objections?
--Ken
- [nmh-workers] Making OpenSSL 1.0.2 minimum version,
Ken Hornstein <=
Re: [nmh-workers] Making OpenSSL 1.0.2 minimum version, Michael Richardson, 2019/06/27