Hi, On 05/05/2017 06:12 PM, Emmanuel Hocdet wrote: > >> Le 5 mai 2017 à 17:21, Emmanuel Hocdet <[email protected]> a écrit : >> >> Hi Emeric, >> >>> Le 28 avr. 2017 à 17:57, Emmanuel Hocdet <[email protected]> a écrit : >>> >>> Hi Emeric, Willy >>> >>> Up the thread with a compatible configuration view. >>> >>> 1) force-xx force-tlsv12 no-tlsv12 >>> old: do a force-tlsv12 (no-xx ignored without warning) >>> new: warning "all SSL/TLS versions are disabled » >>> >>> It’s not a good configuration, but… It can be changed with: >>> . no-xx ignored when force-xx, min-ssl-ver or max-ssl-ver is used (impact >>> 4 and 5) >> for compat and to simplify configuration no-xx : ignored with warning >> >>> . generate an error >>> . keep warning, but it can depend on 2) >>> >>> 2) force-tlsv12 with openssl without v1.2 >>> old: error "option not implemented » >>> new: warning "all SSL/TLS versions are disabled » >>> => generate an error? >> generate an error >> >>> >>> 3) no-tlsv10 >>> old: hole without warning >>> new: warning ‘hole' >>> => i prefer keep warning and not generate error, openssl will deal with that >>> >> no change >> >>> 4) min-ssl-ver TLSv1.0 no-tlsv11 >>> new: warning ‘hole' >>> . no hole if no-tlsxx ignored >>> >> Ignored with warning. >> >>> 5) max-ssl-ver TLSv1.2 no-sslv3 >>> ok but sslv3 will be activate if no-xx are ignored (1) (need at least >>> warning) >>> >> >> Ignored with warning. >> (I will suggest to disable sslv3 per default for bind. Can be ‘force’ with >> ssl-min-ver SSLv3.) >> >> >> I add a patch (7) for that. All patch rebase from current master in the mail. >> > > fix a bug in patch 7, resend all: > > > >
It seems to do what we want, so we can merge it. R, Emeric
