Comment 5 for bug 1256576

There are 2 issues with OpenSSL/TLSv1.2 in Ubuntu. I'm on 12.04, but I see the same patch in newer Ubuntu versions.

1) TLSv1.2 is removed from SSLv23_method(). It's technically fine policy decision. But I think it should be reverted at least new Ubuntu versions. All the sites mentioned in +1y old bugs work fine now with TLSv1.2 requests. And several high-profile browsers are now using TLSv1.2 protocol by default (IE11, Chrome, Safari), so any remaining problematic sites will feel pain if they don't fix.

Eg, see site and browser state here: https://www.ssllabs.com/ssltest/analyze.html?d=mediafire.com

My suggestion: remove this limitation at least from 14.04.

2) TLSv1.2 ciphersuite list is cut to first 25. Thanks to 1) this will affect only apps requesting TLSv1.2 explicitly. It allows only AES256 ciphersuites, which is not big problem. But it also disables secure renegotation, which is signaled with extra ciphersuite.

IOW: apps that want the "newest and most secure TLS version" get crippled protocol instead connection failure if some middleware box fails.

My suggestion: please revert this patch from everywhere. It's dumb idea to force "max-compat" to apps that explicitly want TLSv1.2.