#
cipher_list = "DEFAULT"
+ # If enabled, OpenSSL will use server cipher list
+ # (possibly defined by cipher_list option above)
+ # for choosing right cipher suite rather than
+ # using client-specified list which is OpenSSl default
+ # behavior. Having it set to yes is a current best practice
+ # for TLS
+ cipher_server_preference = no
+
# Work-arounds for OpenSSL nonsense
# OpenSSL 1.0.1f and 1.0.1g do not calculate
# the EAP keys correctly. The fix is to upgrade
# If "enable = no" below, you CANNOT enable resumption for just one
# user by setting the above attribute to "yes".
#
- enable = yes
+ enable = no
#
# Lifetime of the cached entries, in hours. The sessions will be
# the correct paths below to enable it.
#
# If OCSP checking is enabled, and the OCSP checks fail,
- # the verify section is skipped.
+ # the verify section is not run.
+ #
+ # If OCSP checking is disabled, the verify section is
+ # run on successful certificate validation.
#
verify {
# If the OCSP checks succeed, the verify section