Removing Extensions from Client Hello Header
Matt Caswell
matt at openssl.org
Mon Nov 11 22:16:02 UTC 2019
On 11/11/2019 22:12, Michael Wojcik wrote:
> -----Original Message-----
>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
>> Phil Neumiller
>> Sent: Monday, November 11, 2019 15:57
>>
>> Code: SSL_CTX_set_options(ctx, !SSL_OP_ALL);
>
> That's just a verbose way of saying SSL_CTX_set_options(ctx, 0).
>
> Perhaps you meant SSL_CTX_set_options(ctx, ~SSL_OP_ALL)? I certainly wouldn't recommend that - it would enable a host of options which aren't included in SSL_OP_ALL, and which you very likely shouldn't be enabling. (And also some you perhaps should, such as SSL_OP_SINGLE_ECDH_USE, though I don't remember offhand if that affects TLSv1.3.)
There is no need to enable SSL_OP_SINGLE_ECDH_USE. In fact that option
does nothing:
/* Removed from OpenSSL 1.1.0. Was 0x00080000L */
# define SSL_OP_SINGLE_ECDH_USE 0x0
Matt
More information about the openssl-users
mailing list