Add TLS_method, TLS_client_method and TLS_server_method.

Use these instead of SSLv23_*method when you want to make sure TLS is
used.

By default, we disable SSLv3 but it's still possible for the user to
re-enable it.  TLS_*method does not allow SSLv3.

Both BoringSSL and (next version of) OpenSSL have these methods.
However, they have changed the implementation significantly.  We will
as well, but not right now.

Riding the libssl major bump.

ok miod@ bcook@

1 files changed, 4 insertions, 1 deletions

diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index 0a0a711a201..0cd220778b9 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.91 2015/07/18 19:41:54 doug Exp $ */
+/* $OpenBSD: ssl.h,v 1.92 2015/07/19 06:31:32 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1696,6 +1696,9 @@ const SSL_METHOD *TLSv1_2_method(void);		/* TLSv1.2 */
 const SSL_METHOD *TLSv1_2_server_method(void);	/* TLSv1.2 */
 const SSL_METHOD *TLSv1_2_client_method(void);	/* TLSv1.2 */
 
+const SSL_METHOD *TLS_method(void);		/* TLS v1.0 or later */
+const SSL_METHOD *TLS_server_method(void);	/* TLS v1.0 or later */
+const SSL_METHOD *TLS_client_method(void);	/* TLS v1.0 or later */
 
 const SSL_METHOD *DTLSv1_method(void);		/* DTLSv1.0 */
 const SSL_METHOD *DTLSv1_server_method(void);	/* DTLSv1.0 */