[jira] [Comment Edited] (PROTON-1670) Configurable TLS versions

Andrew Stitcher (JIRA) Fri, 10 Nov 2017 09:07:36 -0800

    [ 
https://issues.apache.org/jira/browse/PROTON-1670?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16247777#comment-16247777
 ]


Andrew Stitcher edited comment on PROTON-1670 at 11/10/17 5:06 PM:
-------------------------------------------------------------------

So I propose an API that works like this:

* If the protocols aren't specified then we carry on as at present allowing all 
the TLS but no SSL protocol versions.
* We use a string form to specify the protocols allowed -- This seems most 
consonant with the current API and future proof. Also somewhat easier to use 
for a configuration file, as you can just pass the user string directly through.
* If the API is used then *only* the specified protocols are allowed -- so we 
have to negate the set to pass to the OpenSSL API.

As a strawman call the API {{pn_ssl_domain_set_protocols()}} and use strings 
{{"TLSv1"}} {{"TLSv1.1"}} {{"TLSv1.2"}}

Allow multiple protocols by using a space or comma separated string.


was (Author: astitcher):
So I propose an API that works like this:

* If the protocols aren't specified then we carry on as at present allowing all 
the TLS but no SSL protocol versions.
* We use a string form to specify the protocols allowed -- This seems most 
consonant with the current API and future proof. Also somewhat easier to use 
for a configuration file, as you can just pass the user string directly through.
* If the API is used then *only* the specified protocols are allowed -- so we 
have to negate the set to pass to the OpenSSL API.

As a strawman call the API {{pn_ssl_domain_set_protocols()}} and use strings 
{{"TLSv1"}} {{"TLSv1.1"}} {{"TLSv1.2"}}

> Configurable TLS versions
> -------------------------
>
>                 Key: PROTON-1670
>                 URL: https://issues.apache.org/jira/browse/PROTON-1670
>             Project: Qpid Proton
>          Issue Type: New Feature
>          Components: proton-c
>    Affects Versions: proton-c-0.17.0
>            Reporter: Justin Ross
>            Assignee: Andrew Stitcher
>              Labels: api, tls
>             Fix For: proton-c-0.19.0
>
>
> This link has examples of what httpd and nignx offer:
> https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Comment Edited] (PROTON-1670) Configurable TLS versions

Reply via email to