Michael Paquier <michael@paquier.xyz> writes:
> Now that I think about it, another method would be to rely on the fact
> that a given version of OpenSSL does not support TLS 1.1 and 1.2. So
> we could also just add checks based on OPENSSL_VERSION_NUMBER and be
> done with it.
No, that way madness lies. We *know* that there are lots of
vendor-patched versions of OpenSSL out there, so that the nominal
version number isn't really going to tell us what the package can do.
What I'm concerned about at the moment is Peter's comment upthread
that what we seem to be dealing with here is a broken vendor patch,
not any officially-released OpenSSL version at all. Is it our job
to work around that situation, rather than pushing the vendor to
fix their patch?
regards, tom lane