[1] I rolled my own CA bundle this week, turns out I need to include 4 1024-bit certs because the endpoints I hit are chaining to them for legacy clients, and OpenSSL didn't understand to stop when it got to a cert it knew until 1.0.2 which was released in January. Given what happened the last time I upgraded OpenSSL versions, I'm not inclined to upgrade right away. Seriously, the week after we upgraded to OpenSSL 1.0.1, heartbleed came out; serves us right for wanting to support TLS 1.1 and 1.2 and PFS.
