Chapter 14. Security

A runtime version of OpenSSL is masked and SSL_OP_NO_TLSv1_1 must not be used with OpenSSL 1.0.0

Because certain applications perform incorrect version check of the OpenSSL version, the actual runtime version of OpenSSL is masked and the build-time version is reported instead. Consequently, it is impossible to detect the currently running OpenSSL version using the SSLeay() function.
Additionally, passing the value equivalent to the SSL_OP_NO_TLSv1_1 option as present on OpenSSL 1.0.1 to the SSL_CTX_set_options() function when running with OpenSSL 1.0.0 breaks the SSL/TLS support completely.
To work around this problem, use another way to detect the currently running OpenSSL version. For example, it is possible to obtain a list of enabled ciphers with the SSL_get_ciphers() function and search a TLS 1.2 cipher by parsing the list using the SSL_CIPHER_description() function. This indicates an application that runs with the OpenSSL version later than 1.0.0 because TLS 1.2 support is present since version 1.0.1. (BZ#1497859)