Make the TLSv1.3 downgrade mechanism a configurable option

Make it disabled by default. When TLSv1.3 is out of draft we can remove this option and have it enabled all the time. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3022)
author: Matt Caswell <matt@openssl.org> 2017-03-22 11:52:45 +0000
committer: Matt Caswell <matt@openssl.org> 2017-03-24 14:07:11 +0000
commit: 3556b83ea2a00d0dd3e4f1ec38adb6837553e451 (patch)
tree: 06b2350955e46509b54608bca0db9c057eca20d1 /INSTALL
parent: c3043dcd55d81617408025b1cdb8241ef753b805 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/INSTALL b/INSTALL
index d741b9f5a0..59486efbb4 100644
--- a/INSTALL
+++ b/INSTALL
@@ -427,6 +427,16 @@
                    require additional system-dependent options! See "Note on
                    multi-threading" below.
 
+  enable-tls13downgrade
+                   TODO(TLS1.3): Make this enabled by default and remove the
+                   option when TLSv1.3 is out of draft
+                   TLSv1.3 offers a downgrade protection mechanism. This is
+                   implemented but disabled by default. It should not typically
+                   be enabled except for testing purposes. Otherwise this could
+                   cause problems if a pre-RFC version of OpenSSL talks to an
+                   RFC implementation (it will erroneously be detected as a
+                   downgrade).
+
   no-ts
                    Don't build Time Stamping Authority support.
author	Matt Caswell <matt@openssl.org>	2017-03-22 11:52:45 +0000
committer	Matt Caswell <matt@openssl.org>	2017-03-24 14:07:11 +0000
commit	3556b83ea2a00d0dd3e4f1ec38adb6837553e451 (patch)
tree	06b2350955e46509b54608bca0db9c057eca20d1 /INSTALL
parent	c3043dcd55d81617408025b1cdb8241ef753b805 (diff)