lordgamez commented on code in PR #1600:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1600#discussion_r1252815701
##########
libminifi/src/controllers/SSLContextService.cpp:
##########
@@ -196,16 +196,16 @@ bool SSLContextService::configure_ssl_context(SSL_CTX
*ctx) {
}
// Security level set to 0 for backwards compatibility to support TLS
versions below v1.2
- SSL_CTX_set_security_level(ctx, 0);
+ if (minimum_tls_version_ < TLS1_2_VERSION || maximum_tls_version_ <
TLS1_2_VERSION) {
Review Comment:
If we do not set the minimum version (or maximum version) at all then the
default is TLS 1.2 or 1.3 that is available. In the negotiation always the
highest available version is chosen that is available for both peers. If we
only set the maximum version to be for example TLS 1.1 in that case the
security level has to be set to 0 to be able to choose the any versions below
TLS 1.2. So even if the minimum version is not set we have to check if the
maximum version is below TLS 1.2.
This is how I imagine the current workflow:
```
minTLS maxTLS availableTLSVersions needsSecurityLevel0
-1 -1 1.2, 1.3 False
1.2 1.2 1.2 False
1.1 -1 1.1, 1.2, 1.3 True
-1 1.1 1, 1.1 True
1 1.1 1, 1.1 True
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
