lordgamez commented on code in PR #1600:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1600#discussion_r1251996369
##########
libminifi/src/controllers/SSLContextService.cpp:
##########
@@ -196,16 +196,16 @@ bool SSLContextService::configure_ssl_context(SSL_CTX
*ctx) {
}
// Security level set to 0 for backwards compatibility to support TLS
versions below v1.2
- SSL_CTX_set_security_level(ctx, 0);
+ if (minimum_tls_version_ < TLS1_2_VERSION || maximum_tls_version_ <
TLS1_2_VERSION) {
Review Comment:
By default only TLS 1.2 or above is enabled in OpenSSL3. If we set the
minimum version or the maximum below that, we should enable legacy mode to
allow versions older than 1.2 to be used after version negotiation. But
thinking about what you said, I think the `-1` value should also be checked,
because if we "do not care" then we should better use the default values which
is allow the TLS 1.2+ versions only. Legacy versions should only be used when
specified. Updated in 234608e9d16a8e2c7d60b049fb2264bcaaf1c2fd
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
