OpenSSL fixes and backwards compat break.

Drop SSL_clear() after SSL_new() which causes protocol negotiation failures for TLS1.0 vs TLS1.1/1.2 in OpenSSL 1.0.1b. Remove SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (+dont_insert_empty_fragments) from default of openssl_options.
author: Phil Pennock <pdp@exim.org> 2012-05-03 19:11:49 -0700
committer: Phil Pennock <pdp@exim.org> 2012-05-03 19:11:49 -0700
commit: da3ad30dcfbb4770835c2b7e165bb719f76cfc16 (patch)
tree: 98071a567e2c77ad855dcbcee5871f5bf7207436 /doc/doc-txt/NewStuff
parent: e74376d84aa63876c9a3b240513b8f38920733b7 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index b962b61a2..0aee33cec 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -33,6 +33,15 @@ Version 4.78
     into the DBM library.  Can be used with gsasl to access sasldb2 files as
     used by Cyrus SASL.
 
+ 6. OpenSSL now supports TLS1.1 and TLS1.2 with OpenSSL 1.0.1.
+
+    Avoid release 1.0.1a if you can.  Note that the default value of
+    "openssl_options" is no longer "+dont_insert_empty_fragments", as that
+    increased susceptibility to attack.  This may still have interoperability
+    implications for very old clients (see version 4.31 change 37) but
+    administrators can choose to make the trade-off themselves and restore
+    compatibility at the cost of session security.
+
 
 Version 4.77
 ------------
author	Phil Pennock <pdp@exim.org>	2012-05-03 19:11:49 -0700
committer	Phil Pennock <pdp@exim.org>	2012-05-03 19:11:49 -0700
commit	da3ad30dcfbb4770835c2b7e165bb719f76cfc16 (patch)
tree	98071a567e2c77ad855dcbcee5871f5bf7207436 /doc/doc-txt/NewStuff
parent	e74376d84aa63876c9a3b240513b8f38920733b7 (diff)