On Sun, Jun 01, 2014, Viktor Dukhovni wrote: > On Sun, Jun 01, 2014 at 07:47:30PM +0200, Dr. Stephen Henson wrote: > > > > Thanks. In particular, since SSL_OP_ALL is a compile-time constant, > > > applications compiled with older releases will not send the extension > > > by default. Only applications compiled against 1.0.1g or later > > > that use SSL_OP_ALL, or specifically enable this work-around, will > > > send the extension. > > > > Actually it currently reuses an obsolete bit of SSL_OP_ALL so any existing > > application setting SSL_OP_ALL will use it. That's not set in stone and we > > do > > have a spare bit. > > Repurposing bits in this way is problematic if that bit meant something else > in any OpenSSL-1.x.y release (notional ABI). If the bit is from 0.9.x, and > was never used in 1.x.y, then it is OK. > > I think it is actually a feature for older apps to not by default > enable some feature that they have no way to disable. >
Well the previous purpose of the bit was *ancient* referring to SSLRef and SSLv2 only and probably has been there since SSLeay. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
