From da3ad30dcfbb4770835c2b7e165bb719f76cfc16 Mon Sep 17 00:00:00 2001
From: Phil Pennock <pdp@exim.org>
Date: Thu, 3 May 2012 19:11:49 -0700
Subject: OpenSSL fixes and backwards compat break.

Drop SSL_clear() after SSL_new() which causes protocol negotiation failures for TLS1.0 vs TLS1.1/1.2 in OpenSSL 1.0.1b.

Remove SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (+dont_insert_empty_fragments) from default of openssl_options.
---
 doc/doc-txt/NewStuff | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'doc/doc-txt/NewStuff')

diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index b962b61a2..0aee33cec 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -33,6 +33,15 @@ Version 4.78
     into the DBM library.  Can be used with gsasl to access sasldb2 files as
     used by Cyrus SASL.
 
+ 6. OpenSSL now supports TLS1.1 and TLS1.2 with OpenSSL 1.0.1.
+
+    Avoid release 1.0.1a if you can.  Note that the default value of
+    "openssl_options" is no longer "+dont_insert_empty_fragments", as that
+    increased susceptibility to attack.  This may still have interoperability
+    implications for very old clients (see version 4.31 change 37) but
+    administrators can choose to make the trade-off themselves and restore
+    compatibility at the cost of session security.
+
 
 Version 4.77
 ------------
-- 
cgit v1.2.3