[
https://issues.apache.org/jira/browse/PROTON-1670?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16247760#comment-16247760
]
Andrew Stitcher commented on PROTON-1670:
-----------------------------------------
To be clear this work item is adding an API to proton-c that configures which
of the TLSv1.0, TLSv1.1 TLSv1.2 protocols are enabled.
The underlying API from OpenSSL for this is rather different from the one for
configuring ciphers:
There are option flags {{SSL_OP_NO_TLSv1}} {{SSL_OP_NO_TLSv1_1}}
{{SSL_OP_NO_TLSv1_2}} which can be passed to {{SSL_CTX_set_options()}} to turn
each protocol off individually -- The implementation already turns off all the
SSL versions anyway for security reasons.
So we could take a string like the {{pn_ssl_domain_set_ciphers()}} and
decompose the string into the underlying flags -- this is probably most
consonant with the other API; or we could have separate individual APIs to
disable each unwanted protocol version viz {{pn_ssl_domain_disable_tls10()}}
{{pn_ssl_domain_disable_tls11()}} {{pn_ssl_domain_disable_tls12()}}. But this
isn't very future proof, needing a new API for each protocol version (although
they won't actually get added very fast); finally we could use a similar API to
OpenSSL and use option flags -- probably renamed with a PN_SSL_ prefix.
> Configurable TLS versions
> -------------------------
>
> Key: PROTON-1670
> URL: https://issues.apache.org/jira/browse/PROTON-1670
> Project: Qpid Proton
> Issue Type: New Feature
> Components: proton-c
> Affects Versions: proton-c-0.17.0
> Reporter: Justin Ross
> Assignee: Andrew Stitcher
> Labels: api, tls
> Fix For: proton-c-0.19.0
>
>
> This link has examples of what httpd and nignx offer:
> https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
