Andrew Stitcher commented on PROTON-2009:

A solution top this issue that I'm contemplating is this:

Initially to extend the string API to pn_ssl_domain_set_protocols() to allow a 
string like:

"TLSv1-TLSv1.3" to indicate a range of protocol versions. With "-TLSv1.1" 
meaning every version up to (and including) TLS 1.1; and "TLSv1_2-" meaning 
every version later than and including TLS 1.2.

Then to deprecate and remove support for the list format of the string and only 
retain the range string format. This would allow the current API and allow a 
transition to the one supported by openssl 1.1. It also allows the rather more 
future proof "TLSv1_x-" form allowing restriction on the previous protocol 
versions but allowing any new ones.

> OpenSSL API has changed and now deprecates SSL_OP_NO_TLSv* used with 
> SSL_CTX_set_options
> ----------------------------------------------------------------------------------------
>                 Key: PROTON-2009
>                 URL: https://issues.apache.org/jira/browse/PROTON-2009
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: proton-c
>    Affects Versions: proton-c-0.26.0
>         Environment: Fedora 29, OpenSSL 1.1.1 FIPS  11 Sep 2018
>            Reporter: Chuck Rolke
>            Assignee: Andrew Stitcher
>            Priority: Major
> The OpenSSL SSL_OP_NO_TLSvxxx options are deprecated for use in 
> SSL_CTX_set_options().
> As of OpenSSL 1.1 way to specify TLS versions is through a min-version and 
> max-version scheme - this is more code future proof.
> You can specify a minimum version and 0 for the maximum meaning the latest 
> version.
> Proton's interface to this allows more than can be specified using the 
> min/max API as you can specify each protocol individually.
> The proton code is also not future proof in that it "knows" about each TLS 
> protocol individually in the code.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to