Re: Missing enable-tlsext configuration

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Missing enable-tlsext configuration

Matt Caswell-2


On 28/08/2019 13:46, Dan Heinz wrote:
> We're moving from the 1.0.x branch to the 1.1.1 branch of OpenSSL. When
> building OpenSSL 1.1.1c, I get an error that there is not an enable-tlsext
> configuration parameter.  I can't seem to find any information on when or why
> this was removed.  Is this enabled by default now?
>

It was always enabled by default (at least for all recent OpenSSL versions - I
can't speak for ancient ones). In 1.0.2 you could disable extensions support
with disable-tlsext. TLSv1.2 will *work* without extensions but it really is not
recommended. TLSv1.3 requires extensions. There really is no reason to disable
them, and it added significant maintenance overhead keeping that option working
- so it was removed in 1.1.0.

Matt