Add a note about supporting TLS in the README.md

[rafiyagi]

I think it would be helpful for users of this library to know they should utilize an OpenSSL version to one that is using TLS v1.1+ since Recurly will slowly be deprecating any protocols that do not use TLS v1.1.

[drewish]

That link doesn't work with the . on the end. I pulled it up and I've got no idea how I'd determine which versions support it. Can you dig through there and come up with a list?

[rafiyagi]

@drewish does the markdown file include the period . as part the URL? When I view the branch on github, it properly renders the link without the period. Did you simply copy/past the link with the period?

[drewish]

I think we need to account for both people looking at it on GitHub and people looking at it in their editor.

[rafiyagi]

@drewish period removed.

[bhelx]

It might be good to add the minimum OpenSSL version too so people don't have to dig. I think it's 1.0.1 but I will need to check.

[rafiyagi]

@bhelx it's 1.0.1g - or at least that's the one where they fixed heartbleed. Should that be the minimum version?

[rafiyagi]

Ok - so initial TLSv1.1 support starts with v1.0.1.

This was cataloged in "Changes between 1.0.0h and 1.0.1": https://www.openssl.org/news/changelog.html#x21 -- note: it's described in the last bullet point:

Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only a few changes are required: ...

However, since 1.0.1 also introduced heartbleed, I think we should recommend versions 1.0.1g and up -- 1.0.1g was the version that fixed heartbleed: https://www.openssl.org/news/changelog.html#x14

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

As far as the "best" version, I think it's 1.1.0 since it "prefers" TLS v1.2:
https://www.openssl.org/news/changelog.html#x0

It's a number of bullet points down:

Changes to the DEFAULT cipherlist:
- Prefer (EC)DHE handshakes over plain RSA.
- Prefer AEAD ciphers over legacy ciphers.
- Prefer ECDSA over RSA when both certificates are available.
- Prefer TLSv1.2 ciphers/PRF.
- Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
default cipherlist.
[Emilia Käsper]

@bhelx @drewish, thoughts?

[rafiyagi]

Ok, based on the info above, I changed the wording to:

Please ensure that your OpenSSL version supports TLS v1.1 or higher. At a minimum use v1.0.1g, however we recommend v1.1.0 and up.

[drewish]

👍

[bhelx]

@rafdizzle86 agreed, thoughtful consideration

[bhelx]

👍