[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] [openssl-dev] On SSLv23_method() drop and TLS_method() in
From: |
Matt Caswell |
Subject: |
Re: [Lynx-dev] [openssl-dev] On SSLv23_method() drop and TLS_method() introduction |
Date: |
Tue, 19 May 2015 18:50:25 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 |
On 19/05/15 17:49, Thorsten Glaser wrote:
>> Matt Caswell wrote:
>
>>> This is not quite correct either. TLSv1_client_method() will force
>>> TLS1.0 only. This is the correct approach:
>>>
>>> +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
>>> + ssl_ctx = SSL_CTX_new(TLS_client_method());
>>> +#else
>
> Indeed, but that method does not exist in older versions,
Which is why you have the test for OPENSSL_VERSION_NUMBER.
> whereas
> they *can* be built without SSLv2/SSLv3 support.
That does not make any difference. SSLv23_client_method() works
perfectly well without SSLv2/SSLv3 support. The name is very misleading
and confusing. It was named at a time when the only versions available
were SSLv2 and SSLv3. Its purpose is to auto-negotiate the highest
available version (including TLS1.0, TLS1.1 and TLS1.2). The misleading
name is the reason it has been renamed in the latest OpenSSL dev branch.
TLS_client_method() does exactly the same thing as
SSLv23_client_method() used to do - its just the preferred name for it
from version 1.1.0 onwards.
Not sure why my original post on this subject did not come through to
lynx-dev (I am subscribed and posted with the same email address as I am
subscribed as). Perhaps someone could forward this email to the list for
me if it doesn't arrive by itself :-)
Thanks
Matt