Hi Emeric, > Le 28 avr. 2017 à 17:57, Emmanuel Hocdet <[email protected]> a écrit : > > Hi Emeric, Willy > > Up the thread with a compatible configuration view. > > 1) force-xx force-tlsv12 no-tlsv12 > old: do a force-tlsv12 (no-xx ignored without warning) > new: warning "all SSL/TLS versions are disabled » > > It’s not a good configuration, but… It can be changed with: > . no-xx ignored when force-xx, min-ssl-ver or max-ssl-ver is used (impact 4 > and 5) for compat and to simplify configuration no-xx : ignored with warning
> . generate an error > . keep warning, but it can depend on 2) > > 2) force-tlsv12 with openssl without v1.2 > old: error "option not implemented » > new: warning "all SSL/TLS versions are disabled » > => generate an error? generate an error > > 3) no-tlsv10 > old: hole without warning > new: warning ‘hole' > => i prefer keep warning and not generate error, openssl will deal with that > no change > 4) min-ssl-ver TLSv1.0 no-tlsv11 > new: warning ‘hole' > . no hole if no-tlsxx ignored > Ignored with warning. > 5) max-ssl-ver TLSv1.2 no-sslv3 > ok but sslv3 will be activate if no-xx are ignored (1) (need at least > warning) > Ignored with warning. (I will suggest to disable sslv3 per default for bind. Can be ‘force’ with ssl-min-ver SSLv3.) I add a patch (7) for that. All patch rebase from current master in the mail. ++ Manu
0001-MEDIUM-ssl-revert-ssl-tls-version-settings-relative-.patch
Description: Binary data
0002-MEDIUM-ssl-ssl_methods-implementation-is-reworked-an.patch
Description: Binary data
0003-MEDIUM-ssl-calculate-the-real-min-max-TLS-version-an.patch
Description: Binary data
0004-MINOR-ssl-support-TLSv1.3-for-bind-and-server.patch
Description: Binary data
0005-MINOR-ssl-show-methods-supported-by-openssl.patch
Description: Binary data
0006-MEDIUM-ssl-add-ssl-min-ver-and-ssl-max-ver-parameter.patch
Description: Binary data
0007-MEDIUM-ssl-ssl-min-ver-and-ssl-max-ver-compatibility.patch
Description: Binary data
