On Thu, Dec 04, 2014, Tomas Hoger wrote: > On Wed, 3 Dec 2014 22:55:06 +0100 Kurt Roeckx wrote: > > Maybe applications may benefit from an API where they can pass string > set by the end user and let OpenSSL parse version number from that. > If mod_ssl had configuration directives as SSLProtocolMin and > SSLProtocolMax, it could e.g. use the following while used with OpenSSL > 1.0.0: > > SSLProtocolMin "TLSv1.0" > > instead of > > SSLProtocol all -SSLv2 -SSLv3 > > If TLS 1.2 is undesired after rebase to OpenSSL 1.0.1, this can be > added: > > SSLProtocolMax "TLSv1.1" > > The httpd could be able to treat SSLProtocolMin/Max strings as opaque, > just like SSLCipherSuite. >
This can already be done in the SSL_CONF API for OpenSSL 1.0.2+. Apache httpd (and hopefully other applicacations at some point) includes support so we'd just need to add a new command value. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org