reference: RFC 5246 - TLS 1.2 - Appendix E.1:
Note: some server implementations are known to implement version
negotiation incorrectly. For example, there are buggy TLS 1.0
servers that simply close the connection when the client offers a
version newer than TLS 1.0. Also, it is known that some servers will
refuse the connection if any TLS extensions are included in
ClientHello. Interoperability with such buggy servers is a complex
topic beyond the scope of this document, and may require multiple
connection attempts by the client.
Earlier versions of the TLS specification were not fully clear on
what the record layer version number (TLSPlaintext.version) should
contain when sending ClientHello (i.e., before it is known which
version of the protocol will be employed). Thus, TLS servers
compliant with this specification MUST accept any value {03,XX} as
the record layer version number for ClientHello.
TLS clients that wish to negotiate with older servers MAY send any
value {03,XX} as the record layer version number. Typical values
would be {03,00}, the lowest version number supported by the client,
and the value of ClientHello.client_version. No single value will
guarantee interoperability with all old servers, but this is a
complex topic beyond the scope of this document.
reference: RFC 2560 - Section 4.2.2.2 Authorized Responders:
The key that signs a certificate’s status information need not be the
same key that signed the certificate. It is necessary however to
ensure that the entity signing this information is authorized to do
so. Therefore, a certificate’s issuer MUST either sign the OCSP
responses itself or it MUST explicitly designate this authority to
another entity.
add user-crypto makefile
update README for IPP crypto
place user crypto in wolfcrypt and use autotools
adjust distributed files
move openssl compatibility consumption
auto use IPP RSA -- IPP directory containing shared libraries local
return value of wolfSSL_BN and formating of debug
openssh testing
make sure IPP not built when fips is
ipp init to select correct optimizations -- static libraries on linux -- fast-rsa disabled by default
try to only set library once
only use static IPP if fast rsa is enabled
make print out for user crypto more pretty
