On Sun, 2020-11-01 at 11:16 -0500, Paul Smith wrote:
> Does anyone have any ideas about what I might check to figure out
> what's happening here? The release notes discuss enabling
> MinProtocol and MaxProtocol; I do not use these and in fact I don't
> invoke SSL_CONF_*() at all. Is this an issue? Should I do this?
Hm.
OK, I checked my code and I wasn't using SSL_CONF_*(), but I was using
this after I created my SSL_CTX:
_ctxt = SSL_CTX_new(TLS_method());
SSL_CTX_set_min_proto_version(_ctxt, TLS1_2_VERSION);
Does that no longer work properly for some reason?
If I replace the above with this:
_ctxt = SSL_CTX_new(TLS_method());
SSL_CONF_CTX* cctxt = SSL_CONF_CTX_new();
SSL_CONF_CTX_set_ssl_ctx(cctxt, _ctxt);
SSL_CONF_cmd(cctxt, "MinProtocol", "TLSv1.2");
Now it works.
Is this a bug? Or was I just never using the interface properly?
If I switch to the new method of configuration, it's not clear to me
whether or not I need to preserve the SSL_CONF_CTX structure after the
above code bit, as long as the SSL_CTX is there, or if I can free it
immediately afterward.
Based on the way it's used it seems like it only needs to exist as long
as I need to configure the SSL_CTX, then it can go away and the SSL_CTX
can live on.
