adamdebreceni commented on code in PR #1600:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1600#discussion_r1252788325
##########
libminifi/src/controllers/SSLContextService.cpp:
##########
@@ -196,16 +196,16 @@ bool SSLContextService::configure_ssl_context(SSL_CTX
*ctx) {
}
// Security level set to 0 for backwards compatibility to support TLS
versions below v1.2
- SSL_CTX_set_security_level(ctx, 0);
+ if (minimum_tls_version_ < TLS1_2_VERSION || maximum_tls_version_ <
TLS1_2_VERSION) {
Review Comment:
I'm still having wrapping my head around this, so for the negotiation to be
able to chose < 1.2 we have to set the security level to 0, but we also have to
either specify a minimum version < 1.2 or don't set the minimum version at all,
so as I understand the < 1.2 can only NOT be negotiated if
`minimum_tls_version_ >= 1.2` all other cases allow for < 1.2 but for that we
need to also set the security level to 0, so the condition should only be
`minimum_tls_version_ != -1 && minimum_tls_version_ < TLS1_2_VERSION`, so the
user explicitly set the minimum version to allow pre-1.2, it seems to me that
the maximum version does not really play a role
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
