Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
-=item SSL_OP_DISABLE_TLSEXT_CA_NAMES
-
-Disable TLS Extension CA Names. You may want to disable it for security reasons
-or for compatibility with some Windows TLS implementations crashing when this
-extension is larger than 1024 bytes.
-
=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol
broken SSL implementations. This option has no effect for connections
using other ciphers.
+=item SSL_OP_CRYPTOPRO_TLSEXT_BUG
+
+Make server add server-hello extension from early version of cryptopro draft,
+when GOST ciphersuite is negotiated. Required for interoperability with CryptoPro
+CSP 3.x.
+
=item SSL_OP_TLSEXT_PADDING
Adds a padding extension to ensure the ClientHello size is never between
=over 4
+=item SSL_OP_ALLOW_CLIENT_RENEGOTIATION
+
+Client-initiated renegotiation is disabled by default. To allow it, use the
+this option to enable it.
+
+=item SSL_OP_DISABLE_TLSEXT_CA_NAMES
+
+Disable TLS Extension CA Names. You may want to disable it for security reasons
+or for compatibility with some Windows TLS implementations crashing when this
+extension is larger than 1024 bytes.
+
=item SSL_OP_TLS_ROLLBACK_BUG
Disable version rollback attack detection.
=item SSL_OP_NO_COMPRESSION
-Do not use compression even if it is supported.
+Do not use compression even if it is supported. This option is set by default.
+To switch it off use SSL_clear_options(). A future version of OpenSSL may not
+set this by default.
=item SSL_OP_NO_QUERY_MTU
in the server cipher list; but still allows other clients to use AES and other
ciphers. Requires B<SSL_OP_CIPHER_SERVER_PREFERENCE>.
+=item SSL_OP_CISCO_ANYCONNECT
+
+Use Cisco's version identifier of DTLS_BAD_VER when establishing a DTLSv1
+connection. Only available when using the deprecated DTLSv1_client_method() API.
+
=item SSL_OP_ENABLE_MIDDLEBOX_COMPAT
If set then dummy Change Cipher Spec (CCS) messages are sent in TLSv1.3. This