I feel that openssl upstream needs to add: server_context.verify_consistent()
Because in the above example, even before trying to establish the connection between the two context, the server context is already internally inconsistent. And upstream has changed the meaning of security levels in the past, and will do so again in the future. Ditto distro customization which brought the preview of such change earlier. It does feel that until such API arrives upstream, one needs to do something to the effect of: 1) if openssl version 3.x, and security level is greater than 0, assume no TLS1.1 is available 2) if openssl version 1.1.1+, and security level is greater than 1, assume no TLS1.1 is available 3) if ctx.get_min_proto_level returns TLS1.2 assume no TLS1.1 is available 4) else try setting min_proto_level and run tests 5) if min_proto_lvel is not available the build is against openssl 1.0.2x series, TLS1.1 is probably available. Above logic should cover the next upstream openssl version; the current deployments of ubuntu derivatives; the debian derivatives; and fedora/rhel derivatives. I think.... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1917625 Title: OpenSSL TLS 1.1 handshake fails internal error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
