On Sat, Feb 09, 2019 at 02:19:50PM -0800, Hal Murray via devel wrote: > > e...@thyrsus.com said: > >> Are we ever going to want to use anything older than TLS1.2? Spec says > >> no, > >> but it might be interesting for testing. > > I'm not interested in complicating our lives with a surfeit of obsolete > > APIs. > > Sounds good. It's probably worth updating our requirements section to > include > a version of OpenSSL new enough to support TLS1.2 > > We should be able to add that check to waf. I looked into it a bit, but it > was going to take too long. > > We can get the version info either of two ways. > > Their command line tool is openssl. > $ openssl version > OpenSSL 1.1.1a FIPS 20 Nov 2018 > $ > It's not part of the -dev package and otherwise not (yet) necessary to build. > > We might end up using it for some testing, but I can't think of a good > example. > > OPENSSL_VERSION_NUMBER is defined in openssl/opensslv.h which gets pulled in > by openssl/ssl.h > It looks like: > # define OPENSSL_VERSION_NUMBER 0x1010101fL > There is also a text version: > # define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1a FIPS 20 Nov 2018" > > I don't know what version we need, but I'm pretty sure I can track it down. > Their man pages are good about having a HISTORY section describing when a > feature was added.
Per https://en.wikipedia.org/wiki/OpenSSL, OpenSSL added support for tls1.2 in version 1.0.1. And that version was end of support in December 2016. So any version of OpenSSL that we encounter on a supported operating system will have a "new enough" OpenSSL to support tls1.2. We can add a check for TLS1_2_VERSION (from openssl/tls1.h), if we want to be explicit about support for the feature. We definitely don't want to check for the version since features could be backported. Eric, shall I add that? Thanks, -Matt _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
