Hi Emeric, > Le 20 mars 2017 à 12:50, Emeric Brun <[email protected]> a écrit : > > Hi Manu, > > On 03/20/2017 11:46 AM, Emeric Brun wrote: >> Hi Manu, >> >> On 03/17/2017 06:43 PM, Emmanuel Hocdet wrote: >>> >>>> Le 16 mars 2017 à 17:49, Emmanuel Hocdet <[email protected] >>>> <mailto:[email protected]>> a écrit : >>>> >>>> Hi Emeric, >>>> >>> With this patches, all tls versions are supported and it’s easy to add new >>> tls version internally. >>> min-tlsxx and max-tlsxx is supported for all ssllibs: configuration will be >>> more clear that with no-tlsxx and without « holes ». >>> Add SSL_CTX_set_min/max_proto_version could be a option but i does not see >>> the necessity. >>> >>> Manu >>> >>> >> >> I'm still thinking that SSL_set_min/max_proto_version are a better approach >> to handle 'force-' options for openssl version >= 1.1 . Less intrusive for >> older openssl's versions and without any doubt on what they gonna do even if >> new protocols versions would appear. >> >> R, >> Emeric >> > Something like that (see attachment). >
Yes, i understood. I prefer the abstraction on the flagging versions. It's more simpler to add min-xx max-xx: the configuration is more consistent than no-xxx (and avoid 'holes'). Requirements to not change old implementations of force-xx and fix the max version can be addressed with my patches. I have one that happens. ++ Manu
