On 2026-05-26 17:59:44 [+0200], Chris Hofstaedtler wrote:
> On Tue, May 26, 2026 at 05:14:42PM +0200, Stéphane Glondu wrote:
> > Le 26/05/2026 à 13:27, Sebastian Andrzej Siewior a écrit :
> > > > Source: ocaml-conduit
> > >
> > > > ocaml-conduit (8.0.0-3) unstable; urgency=medium
> > > > .
> > > > * Use TLSv1 in default context (Closes: #1137561)
> > >
> > > The change is
> > >
> > > | - let ctx = Ssl.create_context Ssl.SSLv23 Ssl.Client_context in
> > > | + let ctx = Ssl.create_context Ssl.TLSv1 Ssl.Client_context in
> > >
> > > I have no idea what it does. If this points to something like
> > > SSLv23_method() then this one used to create a TLS connection with the
> > > highest possible TLS protocol version where TLSv1_method() restricits it
> > > to TLSv1 only. A proper replacement would be TLS_method() which is also
> > > available in the openssl 3.x series.
> >
> > After digging, TLS_method() is indeed used, the relevant lines triggered by
> > this change are in ocaml-ssl/ssl_stubs.c/set_protocol:
> >
> > > case 2:
> > > if (!SSL_CTX_set_min_proto_version(ssl_context, TLS1_VERSION) ||
> > > !SSL_CTX_set_max_proto_version(ssl_context, TLS1_VERSION)) {
> > > caml_acquire_runtime_system();
> > > caml_invalid_argument("Failed to set protocol to TLSv1");
> > > }
> > > break;
> >
> > I don't know why proto_version is set to such a narrow interval, it looks
> > unfortunate... I don't know much OpenSSL's API, is that OK?
>
> Looking at the ocaml-ssl source, this is not good...
>
> Ssl.SSLv23 triggers the case 0: branch which does:
> SSL_CTX_set_min_proto_version(ssl_context, SSL3_VERSION)
> SSL_CTX_set_max_proto_version(ssl_context, max_proto)
> where max_proto = TLS1_3_VERSION
>
> which is almost what you really want. Restricting to TLS1.0 as now
> done with Ssl.TLSv1 is bad for a multitude of reasons including that
> it probably doesn't work against any modern server.
>
> So maybe ocaml-ssl should keep the "SSLv23" branch and just stop
> calling SSL_CTX_set_min_proto_version. Or stop calling both min/max
> and let openssl decide?
Yes, that would be what you really want: Not touching min/max and
leaving the defaults.
Historicly speaking, we had SSLv2 and then SSLv3. So first you used
SSLv2() and then with the introduction of SSLv3 the default was
SSLv23() which made both version possible choosing the higher one.
It has been made possible to force a specfic version (by using SSLv2()
SSLv3() and later TLSv1() for v1.0) because it happend that one side had
a buggy stack and forcing the specific version on the client side was a
way to workaround the buggy stack.
This version setting made its way through most clients and everyone
assumed it is needed.
SSLv23 was the "default" which also enabled TLSv1.0+ but the naming led
to confusions on its own.
Today, openssl forces various things by default such as protocol version
v1.2+. This means if the client forces TLSv1 (min+max) then a connection
is not possible unless the remote side explicitly allows TLSv1. Since at
least Bookworm TLSv1.2 is the lower end.
Idealy you want TLSv1.3(+) (again since Bookworm at least) where you
have things such as PFS so every connection is secured with its own
session key.
SSLv3 and lower is disabled in Debian at compile time (and I think in v4
it was ripped out).
TLSv1.1 and lower is disabled by default at runtime and can be
overwritten at runtime via openssl.cnf.
> Chris
Sebastian
