> [[email protected] - Wed Feb 17 19:03:12 2010]: > > Hi! > > SSL_CTX_new currently contains: > > /* Setup RFC4507 ticket keys */ > if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0) > || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0) > || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0)) > ret->options |= SSL_OP_NO_TICKET; > > followed by: > > /* Default is to connect to non-RI servers. When RI is more widely > * deployed might change this. > */ > ret->options = SSL_OP_LEGACY_SERVER_CONNECT; >
Fixed to |= now. > > Will SSL_OP_LEGACY_SERVER_CONNECT remain part of SSL_OP_ALL once > SSL_OP_LEGACY_SERVER_CONNECT is no longer default? > Well I'd say yes but that does have the problem that unless existing software is recompiled it will still use the old value (since it is a #define). Ideally it should be an option outside SSL_OP_ALL but 1.0.0 has run out of new option bits and final beta isn't the time to completely reorganise the way they are handled. For 1.1.0 (and possibly a backport to 1.0.1) the options will be reorganised. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
