On Wed, 3 Dec 2014 22:55:06 +0100 Kurt Roeckx wrote: > This is an initial patch to support being able to set the minimum > and maximum protocol version. The patch is currently untested, > that will happen as I rewrite other things. But I'm looking for > feedback.
It seems *TLS*_VERSION constants are meant to be used to set minimum / maximum. A drawback of such approach is that applications need to be recompiled and/or modified when OpenSSL is updated with support for newer protocol version, if use of the new version is to be controlled via this API. We've seen such issues when OpenSSL was updated from 1.0.0 to 1.0.1 in Red Hat Enterprise Linux. Some users needed to disable TLS 1.2 in mod_ssl, but that required httpd changes. Maybe applications may benefit from an API where they can pass string set by the end user and let OpenSSL parse version number from that. If mod_ssl had configuration directives as SSLProtocolMin and SSLProtocolMax, it could e.g. use the following while used with OpenSSL 1.0.0: SSLProtocolMin "TLSv1.0" instead of SSLProtocol all -SSLv2 -SSLv3 If TLS 1.2 is undesired after rebase to OpenSSL 1.0.1, this can be added: SSLProtocolMax "TLSv1.1" The httpd could be able to treat SSLProtocolMin/Max strings as opaque, just like SSLCipherSuite. Or maybe have a way to control protocol versions via cipher suite string. Similar to what GnuTLS does with its priority string, which can set ciphers, protocol versions, etc. http://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings There are applications using OpenSSL that allow their users to control cipher string, but offer no way to set protocol versions. Just 2c ideas about the API, I've not reviewed the patch. -- Tomas Hoger ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org