On Wed, 2012-04-25 at 10:35 +0200, Andy Polyakov via RT wrote: > more secure protocols. Trade-off. As 1.0.0 application is not in > position to expect anything above TLS1.0, trade-off can as well be > resolved in favor of interoperability. Note that there is not such > trade-off in 1.0.1 application context, because 1.0.1 SSL_OP_ALL won't > disable protocols above TLS1.0.
I'd be in favor to moving the SSL_OP_NO_TLSv1_1 out of SSL_OP_ALL as of 1.0.0 as application should not in general really care against which openssl version _with stable ABI_ it is linked. And the capabilities should be defined by the underlying installed library version and not the version it was built against. Of course in case the application needs to refer to API additions for the new functionality the situation is different, but that is not the case of TLS1.1. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org