On Wed, Jun 11, 2014 at 07:24:05PM +0200, Dimitrios Apostolou wrote:
> Hello list,
>
> given that I'm developing a custom client-server application that
> communicates via TLS, I decided to zero-out all options since I don't care
> about backwards compatibility and heterogenous clients like browsers by
> doing:
>
> SSL_CTX_clear_options(ssl_ctx, SSL_CTX_get_options(ssl_ctx));
>
> Can you think of reasons this might be bad practice? (e.g. openssl changing
> default behaviour in the future unless an option is set)
The options start out "clear" by default. You would need to call
SSL_CTX_set_options() with a non-zero value (e.g. SSL_OP_ALL) to
have any options set. Some options are recommended, e.g.
SSL_OP_NO_SSLv2
and possibly even SSL_OP_NO_SSLv3 if you really have no requirement
for legacy interoperability. You can look over the rest to see
whether you're better off with them enabled or not.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
