Deprecate TLS 1.0 and 1.1 by default

Fixes #101.

Minor digit of version number has been bumped per [Semantic Versioning
2.0.0](https://semver.org/spec/v2.0.0.html) §7:

> Minor version Y (x.Y.z | x > 0) MUST be incremented if ... any public
> API functionality is marked as deprecated.

diff --git a/UPDATING b/UPDATING
index ca8668889c4ce1f244f539fad10bb6a025635b80..b8d86340b513b87c98641dfc0775c492807c9dd5 100644 (file)
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,10 @@ http://www.mutt.org/doc/manual/
 The keys used are:
   !: modified feature, -: deleted feature, +: new feature
 
+1.12.1
+
+  ! $ssl_use_tlsv1 and ssl_use_tlsv1_1 now default to unset.
+
 1.11.1 (2018-12-01):
 
   ! Bug fix release.

diff --git a/init.h b/init.h
index 12585078408e7555788350ce83387dde6bd240b2..c79fb6cb7f429c6df64016e04fd1e8fe142aceee 100644 (file)
--- a/init.h
+++ b/init.h
@@ -3604,13 +3604,13 @@ struct option_t MuttVars[] = {
   ** SSL authentication process. Note that SSLv2 and SSLv3 are now
   ** considered fundamentally insecure and are no longer recommended.
   */
-  { "ssl_use_tlsv1", DT_BOOL, R_NONE, OPTTLSV1, 1 },
+  { "ssl_use_tlsv1", DT_BOOL, R_NONE, OPTTLSV1, 0 },
   /*
   ** .pp
   ** This variable specifies whether to attempt to use TLSv1.0 in the
   ** SSL authentication process.
   */
-  { "ssl_use_tlsv1_1", DT_BOOL, R_NONE, OPTTLSV1_1, 1 },
+  { "ssl_use_tlsv1_1", DT_BOOL, R_NONE, OPTTLSV1_1, 0 },
   /*
   ** .pp
   ** This variable specifies whether to attempt to use TLSv1.1 in the