[jira] [Updated] (PROTON-2009) OpenSSL API has changed and now deprecates SSL_OP_NO_TLSv* used with SSL_CTX_set_options

2019-02-22 Thread Andrew Stitcher (JIRA)


 [ 
https://issues.apache.org/jira/browse/PROTON-2009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrew Stitcher updated PROTON-2009:

Description: 
The OpenSSL SSL_OP_NO_TLSvxxx options are deprecated for use in 
SSL_CTX_set_options().

As of OpenSSL 1.1 way to specify TLS versions is through a min-version and 
max-version scheme - this is more code future proof.

You can specify a minimum version and 0 for the maximum meaning the latest 
version.

Proton's interface to this allows more than can be specified using the min/max 
API as you can specify each protocol individually.

The proton code is also not future proof in that it "knows" about each TLS 
protocol individually in the code.

  was:
The SSL_OP_NO_TLSxxx options are deprecated.

The new way to specify TLS versions is through a min-version and max-version 
scheme - this is more code future proof. You can specify a minimum version and 
0 for the maximum meaning the latest version.

Proton's interface to this allows more than can be specified using the min/max 
API as you can specify each protocol individually.

The proton code is also not future proof in that it "knows" about each TLS 
protocol individually in the code.


> OpenSSL API has changed and now deprecates SSL_OP_NO_TLSv* used with 
> SSL_CTX_set_options
> 
>
> Key: PROTON-2009
> URL: https://issues.apache.org/jira/browse/PROTON-2009
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: proton-c-0.26.0
> Environment: Fedora 29, OpenSSL 1.1.1 FIPS  11 Sep 2018
>Reporter: Chuck Rolke
>Assignee: Andrew Stitcher
>Priority: Major
>
> The OpenSSL SSL_OP_NO_TLSvxxx options are deprecated for use in 
> SSL_CTX_set_options().
> As of OpenSSL 1.1 way to specify TLS versions is through a min-version and 
> max-version scheme - this is more code future proof.
> You can specify a minimum version and 0 for the maximum meaning the latest 
> version.
> Proton's interface to this allows more than can be specified using the 
> min/max API as you can specify each protocol individually.
> The proton code is also not future proof in that it "knows" about each TLS 
> protocol individually in the code.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org



[jira] [Updated] (PROTON-2009) OpenSSL API has changed and now deprecates SSL_OP_NO_TLSv* used with SSL_CTX_set_options

2019-02-22 Thread Andrew Stitcher (JIRA)


 [ 
https://issues.apache.org/jira/browse/PROTON-2009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrew Stitcher updated PROTON-2009:

Environment: Fedora 29, OpenSSL 1.1.1 FIPS  11 Sep 2018  (was: Fedora 29, 
Python 2.7.15, OpenSSL 1.1.1 FIPS  11 Sep 2018)

> OpenSSL API has changed and now deprecates SSL_OP_NO_TLSv* used with 
> SSL_CTX_set_options
> 
>
> Key: PROTON-2009
> URL: https://issues.apache.org/jira/browse/PROTON-2009
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: proton-c-0.26.0
> Environment: Fedora 29, OpenSSL 1.1.1 FIPS  11 Sep 2018
>Reporter: Chuck Rolke
>Assignee: Andrew Stitcher
>Priority: Major
>
> The SSL_OP_NO_TLSxxx options are deprecated.
> The new way to specify TLS versions is through a min-version and max-version 
> scheme - this is more code future proof. You can specify a minimum version 
> and 0 for the maximum meaning the latest version.
> Proton's interface to this allows more than can be specified using the 
> min/max API as you can specify each protocol individually.
> The proton code is also not future proof in that it "knows" about each TLS 
> protocol individually in the code.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org



[jira] [Updated] (PROTON-2009) OpenSSL API has changed and now deprecates SSL_OP_NO_TLSv* used with SSL_CTX_set_options

2019-02-22 Thread Andrew Stitcher (JIRA)


 [ 
https://issues.apache.org/jira/browse/PROTON-2009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrew Stitcher updated PROTON-2009:

Description: 
The SSL_OP_NO_TLSxxx options are deprecated.

The new way to specify TLS versions is through a min-version and max-version 
scheme - this is more code future proof. You can specify a minimum version and 
0 for the maximum meaning the latest version.

Proton's interface to this allows more than can be specified using the min/max 
API as you can specify each protocol individually.

The proton code is also not future proof in that it "knows" about each TLS 
protocol individually in the code.

  was:
There are several related issues:
 * OpenSSL 1.1.1 adds protocol version TLSv1_3. The current config interface 
has no way to enable or disable that version. This was predicted in PROTON-1670.
 * The OP_NO_TLSxxx options are deprecated.
 * The new way to specify TLS versions is through a min-version and max-version 
scheme. Proton offers no interface for that to client customers.
 * The ssl self test tests the customer interface nicely but does not test that 
the requested TLS versions used by the domain are enforced or not. 
Qpid-dispatch has a self test that exercises actual connections 
[https://github.com/apache/qpid-dispatch/blob/master/tests/system_tests_ssl.py] 
and it is failing with OpenSSL v1.1.1.


> OpenSSL API has changed and now deprecates SSL_OP_NO_TLSv* used with 
> SSL_CTX_set_options
> 
>
> Key: PROTON-2009
> URL: https://issues.apache.org/jira/browse/PROTON-2009
> Project: Qpid Proton
>  Issue Type: Bug
>  Components: proton-c
>Affects Versions: proton-c-0.26.0
> Environment: Fedora 29, Python 2.7.15, OpenSSL 1.1.1 FIPS  11 Sep 2018
>Reporter: Chuck Rolke
>Assignee: Andrew Stitcher
>Priority: Major
>
> The SSL_OP_NO_TLSxxx options are deprecated.
> The new way to specify TLS versions is through a min-version and max-version 
> scheme - this is more code future proof. You can specify a minimum version 
> and 0 for the maximum meaning the latest version.
> Proton's interface to this allows more than can be specified using the 
> min/max API as you can specify each protocol individually.
> The proton code is also not future proof in that it "knows" about each TLS 
> protocol individually in the code.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org