This adds support for the ephemeral elliptic curve Diffie-Hellman key
exchange, which provides for forward secrecy in the event that
long-term keys are compromised.
For the moment, we've hard-coded the curve as prime256v1.
Previously there was no way to override the hard-coded cipher suite
specification of "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH".
This commit does leave in place the hardcoded cipher spec for WebRTC
of "HIGH:!DSS:!aNULL@STRENGTH".
Previously if tls-version was set to tlsv1 we supported only TLSv1,
but if it was set to sslv23 we supported all versions of TLS. This
was a weird incorrectly documented behavior that we hope no one was
relying on.
Now we can pass a comma-separated list of TLS/SSL versions that we
would like to support in tls-version.
FS-5839 --resolve
Previously if the TPTAG_TLS_VERSION was set to a non-zero value we
supported only TLSv1 (but not TLSv1.1 or TLSv1.2), and if was set to
zero we supported all versions of TLS and SSL (including the
ridiculous SSLv2).
Now we take an integer field where various bits can be set indicating
which versions of TLS we would like to support.
This commit changes behavior such that if --disable-core-odbc-support
is provided we'll build without ODBC even if the libraries are there.
Previously we would always quietly build with ODBC support if it was
on the system.
Contrary to what was said in commit 72a804983, my 2012 commit
ffc8e81b7 did not affect the behavior of --disable-core-odbc-support.
We never recognized the flag as being different from not providing the
option at all.
What the commit did do was to cause us to fail loudly if
--enable-core-odbc-support was provided but the system libraries were
not there. This behavior is preserved.
(That commit also caused us to potentially run certain checks twice,
which this commit resolves.)
You can also now provide --enable-core-odbc-support=optional which has
the same effect as the default behavior.
FS-6173 --resolve
Thanks-to: James Le Cuirot <chewi@aura-online.co.uk>
