Ken Hornstein wrote in <20190627150420.4FF107A412@pb-smtp21.pobox.com>:
|Everyone,
|
|When researching the issue Michael Richardson brought up today, it make
|me realize we really should be calling SSL_set_tlsext_host_name() so we
|send the TLS extension "server name indicator". Which is easy, it's
|literally one line of code. But that makes me ask a larger question: we
|have some autoconf goo to support older libraries (pre OpenSSL 1.0.2)
|that didn't support the function X509_VERIFY_PARAM_set1_host(), and I
|lack the energy to research if SSL_set_tlsext_host_name() exists in
|pre-1.0.2 OpenSSL. I think at this point we should consider OpenSSL
|1.0.2 the minimum supported version of OpenSSL for nmh. This would
|guarantee we are doing TLS 1.2 everywhere and clean up some #ifdefs.
|Objections?
I use that protected via
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
which seems to work everywhere i tried.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
--
nmh-workers
https://lists.nongnu.org/mailman/listinfo/nmh-workers