Update

[Matthew Selsky]

On Sat, Feb 09, 2019 at 02:19:50PM -0800, Hal Murray via devel wrote:
> 
> esr at thyrsus.com said:
> >> Are we ever going to want to use anything older than TLS1.2?  Spec says no, 
> >> but it might be interesting for testing.
> > I'm not interested in complicating our lives with a surfeit of obsolete APIs.
> 
> Sounds good.  It's probably worth updating our requirements section to include 
> a version of OpenSSL new enough to support TLS1.2
> 
> We should be able to add that check to waf.  I looked into it a bit, but it 
> was going to take too long.
> 
> We can get the version info either of two ways.
> 
> Their command line tool is openssl.
> $ openssl version
> OpenSSL 1.1.1a FIPS  20 Nov 2018
> $
> It's not part of the -dev package and otherwise not (yet) necessary to build.  
> We might end up using it for some testing, but I can't think of a good example.
> 
> OPENSSL_VERSION_NUMBER is defined in openssl/opensslv.h which gets pulled in 
> by openssl/ssl.h
> It looks like:
> # define OPENSSL_VERSION_NUMBER  0x1010101fL
> There is also a text version:
> # define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1a FIPS  20 Nov 2018"
> 
> I don't know what version we need, but I'm pretty sure I can track it down.  
> Their man pages are good about having a HISTORY section describing when a 
> feature was added.

Per https://en.wikipedia.org/wiki/OpenSSL, OpenSSL added support for tls1.2 in version 1.0.1.  And that version was end of support in December 2016.

So any version of OpenSSL that we encounter on a supported operating system will have a "new enough" OpenSSL to support tls1.2.

We can add a check for TLS1_2_VERSION (from openssl/tls1.h), if we want to be explicit about support for the feature.  We definitely don't want to check for the version since features could be backported.

Eric, shall I add that?


Thanks,
-Matt