Re: [Patches] TLS methods configuration reworked

Fri, 05 May 2017 09:13:42 -0700 

> Le 5 mai 2017 à 17:21, Emmanuel Hocdet <[email protected]> a écrit :
> 
> Hi Emeric,
> 
>> Le 28 avr. 2017 à 17:57, Emmanuel Hocdet <[email protected]> a écrit :
>> 
>> Hi Emeric, Willy
>> 
>> Up the thread with a compatible configuration view.
>> 
>> 1) force-xx force-tlsv12 no-tlsv12
>> old: do a force-tlsv12  (no-xx ignored without warning)
>> new:  warning "all SSL/TLS versions are disabled »
>> 
>> It’s not a good configuration, but… It can be changed with:
>> . no-xx  ignored when force-xx, min-ssl-ver or max-ssl-ver is used  (impact 
>> 4 and 5)
> for compat and to simplify configuration no-xx : ignored with warning
> 
>> . generate an error
>> . keep warning, but it can depend on 2)
>> 
>> 2) force-tlsv12   with openssl without v1.2 
>> old:   error "option not implemented »
>> new:  warning "all SSL/TLS versions are disabled »
>> => generate an error?
> generate an error 
> 
>> 
>> 3)  no-tlsv10
>> old: hole without warning
>> new: warning ‘hole'
>> => i prefer keep warning and not generate error, openssl will deal with that
>> 
> no change
> 
>> 4) min-ssl-ver TLSv1.0 no-tlsv11
>> new:  warning ‘hole'
>> . no hole if no-tlsxx  ignored
>> 
> Ignored with warning.
> 
>> 5) max-ssl-ver TLSv1.2  no-sslv3
>>  ok but sslv3 will be activate if no-xx are ignored (1) (need at least 
>> warning)
>> 
> 
> Ignored with warning.
> (I will suggest to disable sslv3 per default for bind. Can be ‘force’ with 
> ssl-min-ver SSLv3.)
> 
> 
> I add a patch (7) for that. All patch rebase from current master in the mail.
> 

fix a bug in patch 7, resend all:

Attachment: 0001-MEDIUM-ssl-revert-ssl-tls-version-settings-relative-.patch
Description: Binary data

Attachment: 0002-MEDIUM-ssl-ssl_methods-implementation-is-reworked-an.patch
Description: Binary data

Attachment: 0003-MEDIUM-ssl-calculate-the-real-min-max-TLS-version-an.patch
Description: Binary data

Attachment: 0004-MINOR-ssl-support-TLSv1.3-for-bind-and-server.patch
Description: Binary data

Attachment: 0005-MINOR-ssl-show-methods-supported-by-openssl.patch
Description: Binary data

Attachment: 0006-MEDIUM-ssl-add-ssl-min-ver-and-ssl-max-ver-parameter.patch
Description: Binary data

Attachment: 0007-MEDIUM-ssl-ssl-min-ver-and-ssl-max-ver-compatibility.patch
Description: Binary data





























					Reply via email to