Re: [nmh-workers] Making OpenSSL 1.0.2 minimum version

[Steffen Nurpmeso]

Ken Hornstein wrote in <address@hidden>:
 |Everyone,
 |
 |When researching the issue Michael Richardson brought up today, it make
 |me realize we really should be calling SSL_set_tlsext_host_name() so we
 |send the TLS extension "server name indicator".  Which is easy, it's
 |literally one line of code.  But that makes me ask a larger question: we
 |have some autoconf goo to support older libraries (pre OpenSSL 1.0.2)
 |that didn't support the function X509_VERIFY_PARAM_set1_host(), and I
 |lack the energy to research if SSL_set_tlsext_host_name() exists in
 |pre-1.0.2 OpenSSL.  I think at this point we should consider OpenSSL
 |1.0.2 the minimum supported version of OpenSSL for nmh.  This would
 |guarantee we are doing TLS 1.2 everywhere and clean up some #ifdefs.
 |Objections?

I use that protected via

  #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME

which seems to work everywhere i tried.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)