On Thu, Dec 04, 2014 at 10:16:47AM +0100, Tomas Hoger wrote: > On Wed, 3 Dec 2014 22:55:06 +0100 Kurt Roeckx wrote: > > > This is an initial patch to support being able to set the minimum > > and maximum protocol version. The patch is currently untested, > > that will happen as I rewrite other things. But I'm looking for > > feedback. > > It seems *TLS*_VERSION constants are meant to be used to set minimum / > maximum. A drawback of such approach is that applications need to be > recompiled and/or modified when OpenSSL is updated with support for > newer protocol version, if use of the new version is to be controlled > via this API.
So if I understand you right, say that we make a release that support up to TLS 1.2 and your application is compiled against that. That would mean it will only know how to set the minimum and maximum to TLS 1.2. If I then add support for TLS 1.3 there would be no way to say that TLS 1.3 should be the minimum without adding support for that in the application? > We've seen such issues when OpenSSL was updated from 1.0.0 to 1.0.1 in > Red Hat Enterprise Linux. Some users needed to disable TLS 1.2 in > mod_ssl, but that required httpd changes. And both TLS 1.1 and 1.2 were added, so you would only be able to set the maximum to TLS 1.0 even if you would like to use TLS 1.1. > Maybe applications may benefit from an API where they can pass string > set by the end user and let OpenSSL parse version number from that. That sounds like a good idea, but I need to think more about it, like what to do in case someone gives a string it doesn't understand. > SSLProtocolMin "TLSv1.0" > > instead of > > SSLProtocol all -SSLv2 -SSLv3 > > Or maybe have a way to control protocol versions via cipher suite > string. Similar to what GnuTLS does with its priority string, which > can set ciphers, protocol versions, etc. I was thinking about that too before. We already have SECLEVEL in there now (in 1.0.2). So I'm wondering how many ways I should support. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
