On Wed, Apr 18, 2012 at 12:16:49AM +0200, Alberto Garcia wrote: > On Tue, Apr 17, 2012 at 08:18:45PM +0200, Kurt Roeckx wrote: > > > > I think I found the problem. In irssi's network-openssl.c:409 > > > > > > SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); > > > > > > In the latest versions of OpenSSL, SSL_OP_ALL includes > > > SSL_OP_NO_TLSv1_1. > > > > So you mean with a rebuild you pass new options, and with the new > > options it works? > > Now I really found it, it's actually the other way around. > > In OpenSSL 1.0.0e-2: > > #define SSL_OP_ALL 0x80000FFFL > > In OpenSSL 1.0.1-4: > > #define SSL_OP_ALL 0x80000BFFL > #define SSL_OP_NO_TLSv1_1 0x00000400L > > (0x80000BFFL + 0x00000400L == 0x80000FFFL) > > So the former macro sets the 0x400 bit, which is not used in that > version. However, in more recent versions of OpenSSL that bit disables > support for TLS 1.1 > > Summarizing: you'll have the TLS 1.1 support disabled depending on the > version you compiled your code with.
1.0.0 didn't have TLS 1.1 support, it was only added in 1.0.1. I wonder why that option exist in the first place ... Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
