[Top] [All Lists]

Re: [nmh-workers] Making OpenSSL 1.0.2 minimum version

2019-06-27 12:12:34

Ken Hornstein <kenh@pobox.com> wrote:
    > When researching the issue Michael Richardson brought up today, it make
    > me realize we really should be calling SSL_set_tlsext_host_name() so we
    > send the TLS extension "server name indicator".  Which is easy, it's
    > literally one line of code.  But that makes me ask a larger question: we
    > have some autoconf goo to support older libraries (pre OpenSSL 1.0.2)
    > that didn't support the function X509_VERIFY_PARAM_set1_host(), and I
    > lack the energy to research if SSL_set_tlsext_host_name() exists in
    > pre-1.0.2 OpenSSL.  I think at this point we should consider OpenSSL
    > 1.0.2 the minimum supported version of OpenSSL for nmh.  This would
    > guarantee we are doing TLS 1.2 everywhere and clean up some #ifdefs.
    > Objections?

I concur.
If you have <1.0.2, then you probably don't have useful TLS, and should build
without it.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

Attachment: signature.asc
Description: PGP signature

<Prev in Thread] Current Thread [Next in Thread>