correct, and specifically with backports there is no other reasonable way to do this. Since the mitigation needs to happen outside of the openssl integration, you need to expose the flag to clients and allow them to make the choice to ignore the error or not, until they handle this. But in a backport, you can't expose new apis like this to clients, because that code isn't getting updated.