On Thu, Jul 03, 2025 at 07:33:54PM -0500, Nate Choe via Lynx-dev wrote: > Hello everyone! > > I was reading through some of the Lynx source code, and I have some questions > about how Lynx handles TLS. Specifically, in HTTP.c:734, we see this snippet: ... > With all of that in mind, I have a few questions: > > 1. Is this intended behavior or just a bug?
It sounds like a bug. > 2. It seems like Lynx goes out of its way to support legacy versions of > OpenSSL. > Would it be unreasonable to assume that a user has access to the > SSL_set_max_proto_version, which was added in OpenSSL version 1.1.0? ...only with a suitable configure check. > 3. In a similar vein, would it be unreasonable to drop SSL support entirely? ..probably not. The real problem is that there's been no stable api, which would allow any application to just recompile periodically and update painlessly. We don't have that situation with standardized APIs - SSL/TLS/etc, just seem to have RFCs which leave too much leeway for implementator of libraries. (a patch to address the issues you outline would be duly considered - thanks) -- Thomas E. Dickey <[email protected]> https://invisible-island.net
signature.asc
Description: PGP signature
