On Wed, Nov 16, 2016 at 10:58:17PM +0000, craig_we...@trendmicro.com wrote:
> Our product is going to provide runtime options to the user to enable and
> disable TLS 1.0, 1.1 and 1.2 in a discrete manner.
This is a bad interface. Do not implement this feature. Instead
support only a contiguous range of protocol versions, by allowing
the user to specify a lowest supported version and a highest
supported version.
This maps directly onto the OpenSSL 1.1.0 API, but in older
versions you'll need to map these onto corresponding:
SSL_OP_NO_...
macros to disable all versions below the lowest, and if possible,
at least one version above the highest. Note that that TLS 1.2 is
the highest supported in OpenSSL 1.0.x, and no higher versions will
be added. So "<= TLS 1.2" is the same as not bounded above.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
