Replacement of sslversion=N by tls-min-version=1.N
Overall the default behaviour is changed from enumerating the protocols
wanted. To enumerating and eliminating the unwanted.
* sslversion= / version= parameter is removed from documentation.
* sslversion= code logics is converted from setting the SSL_*_method()
function to setting the ssloptions= masking parameters.
Yes this will open a hole for future libraries use of TLSv1.3. However
that is kind of desirable and if it becomes a problem the
ssloptions=NO_TLSv1_3 should be made available.
* The SSL_*_method() logic is all converted to using the flexible
TLS_*_Method() API when available (OpenSSL 1.1.0) otherwise the
equivalent SSLv23_*_method() API is used.
That API follows the latest specification behaviour: to send a protocol
frame type that any recipient should be able to parse (library decides
which), while only negotiating the protocol type permitted.
* A new option tls-min-version=1.N is added to server connection
directives. It controls *only* the TLS version range.
- http(s)_port directives are not (yet) implemented using
Security::PeerOptions. For now they are left with options= masking to
select protocol support.
- bug in http(s)_port directives version= parameter is fixed. The new
backward compatibility code accepts version=4|5|6 where the existing
code did not despite documentation saying it did.
- SSLv3 is left at the library default unless ssloptions=NO_SSLv3 is used.
* ssloptions= is left alone so anyone can still set the library options
masks to control SSLv3 enable/disable or specific TLS versions higher
than the configured minimum.