And also here:
Pen 0.27.4 rounds off the SSL support with several TLS extensions and security related enhancements.
TLS 1.1 and TLS 1.2 can now be individually disabled.
Client-initiated secure renegotiation can now be rate-limited. The default “limit” is once per hour, which effectively disables this potential vector for denial of service.
OCSP stapling is now supported.
Server Name Indication is supported.
See penctl manpage for configuration help.
Full list of changes from 0.27.3:
150408 Updated ocsp stapling to be compatible with server name indication.
Added pen-ocsp.sh script.
150407 SSL code broken out into ssl.[ch]. SSL context creation broken
out from ssl_init to ssl_create_context.
Server Name Indication support. New command to enable:
where PATH is the name of a directory containing domain.key,
domain.crt and domain.ca files for each domain.
150406 OCSP stapling. New command ssl_ocsp_response filename
specifies the location of the ocsp response to be stapled.
The response must be pre-fetched. The idea was borrowed
from Rob Stradling.
150403 New command ssl_client_renegotiation_interval specifies the
minimum number of seconds the client must wait between
renegotiation requests. Default 3600.
150402 Enabled SSL session resumption.
In do_cmd: don’t print “ignoring command” for comments starting
150330 Added ssl_option no_tlsv1.1 and ssl_option no_tlsv1.2 to disable
SSL 1.1 and 1.2 respectively.