Re-enable TLS 1.1 and TLS 1.2 once they are fixed
See legacy/trac#6033 (moved) for why we needed to disable TLS1.1 and TLS1.2.
We'd like to turn them back on once OpenSSL 1.0.1d comes out with the bugfix. The easiest way to do that will be to make the whole block that disables them conditional on the compile-time OpenSSL version.
Of course, we'll have the obvious problem: many vendors will only partially backport openssl changes, and will not bump the OpenSSL version when they do so. We should see where and how this is a problem: Right now, Ubuntu 12.04 (LTS!? :( ) seems to be the likeliest place for a problem to occur here, since it's shipping a patched 1.0.1 that it calls 1.0.1-4.
If we decide we need to re-enable TLS on these platforms too, here are the options I can think of:
- Try renegotiation with TLS 1.2 with ourselves at runtime. If that fails, disable TLS 1.1 and TLS 1.2.
- Have a compile-time or runtime option that tells us that openssl has been fixed.