Le 26/05/2026 à 13:27, Sebastian Andrzej Siewior a écrit :
Source: ocaml-conduit
Okay, so the package completly different.
…
ocaml-conduit (8.0.0-3) unstable; urgency=medium
.
* Use TLSv1 in default context (Closes: #1137561)
The change is
| - let ctx = Ssl.create_context Ssl.SSLv23 Ssl.Client_context in
| + let ctx = Ssl.create_context Ssl.TLSv1 Ssl.Client_context in
I have no idea what it does. If this points to something like
SSLv23_method() then this one used to create a TLS connection with the
highest possible TLS protocol version where TLSv1_method() restricits it
to TLSv1 only. A proper replacement would be TLS_method() which is also
available in the openssl 3.x series.
After digging, TLS_method() is indeed used, the relevant lines triggered
by this change are in ocaml-ssl/ssl_stubs.c/set_protocol:
case 2:
if (!SSL_CTX_set_min_proto_version(ssl_context, TLS1_VERSION) ||
!SSL_CTX_set_max_proto_version(ssl_context, TLS1_VERSION)) {
caml_acquire_runtime_system();
caml_invalid_argument("Failed to set protocol to TLSv1");
}
break;
I don't know why proto_version is set to such a narrow interval, it
looks unfortunate... I don't know much OpenSSL's API, is that OK?
Cheers,
--
Stéphane
