Benjamin Kaduk 72d2670bd2 Enforce secure renegotiation support by default ... Previously we would set SSL_OP_LEGACY_SERVER_CONNECT by default in SSL_CTX_new(), to allow connections to legacy servers that did not implement RFC 5746. It has been more than a decade since RFC 5746 was published, so there has been plenty of time for implmentation support to roll out. Change the default behavior to be to require peers to support secure renegotiation. Existing applications that already cleared SSL_OP_LEGACY_SERVER_CONNECT will see no behavior change, as re-clearing the flag is just a little bit of redundant work. The old behavior is still available by explicitly setting the flag in the application. Also remove SSL_OP_LEGACY_SERVER_CONNECT from SSL_OP_ALL, for similar reasons. Document the behavior change in CHANGES.md, and update the SSL_CTX_set_options() and SSL_CONF_cmd manuals to reflect the change in default behavior. Fixes: 14848 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15127)		2021-05-05 08:13:51 -07:00
..
crypto	Allow absolute paths to be set	2021-05-05 13:11:17 +02:00
internal	Create libcrypto support for BIO_new_from_core_bio()	2021-05-04 12:00:21 +01:00
openssl	Enforce secure renegotiation support by default	2021-05-05 08:13:51 -07:00