On Sun, Apr 22, 2012 at 03:28:43PM -0400, Wietse Venema wrote:
> Why do we need to have (expr & TLS_KNOWN_PROTOCOLS) in the code
> in the first place? If we get rid of it, then we don't have to
> rush out patches each time the OpenSSL team comes out with a
> new incompatible protocol.
The "TLS_KNOWN_PROTOCOLS" bits are a Postfix tls.h feature, there
is no OpenSSL feature that tells us which of the option bits are
protocols, and which are bug work-arounds, ...
I can't turn off TLSv1_3, without predicting which option bit will
be selected for SSL_OP_NO_TLSv1_3, I don't own that crystal ball. :-)
There are various API design warts in OpenSSL, using the same
bitmask for both bug-workarounds and protocol selection is just
one of the unfortunate "optimizations".
--
Viktor.
