> I feel that openssl upstream needs to add: server_context.verify_consistent()
Yeah, I agree with you. :) The idea came up three years ago when I filed issue https://github.com/openssl/openssl/issues/5127 > 1) if openssl version 3.x, and security level is greater than 0, assume no > TLS1.1 is available Thank you, I'll consider this fact when I implement OpenSSL 3.0.0 support > 2) if openssl version 1.1.1+, and security level is greater than 1, assume no > TLS1.1 is available TLS 1.1 connections work fine on seclevel 2 with default upstream OpenSSL 1.1.1 and with Fedora's OpenSSL 1.1.1 using crypto-policy "DEFAULT". I'm using server_context.set_ciphers("@SECLEVEL=2:ALL") to change the security level. Here Ubuntu deviates from standard OpenSSL 1.1.1 policies. So I ask again: Should we detect and special case the deviation and document it? > 3) if ctx.get_min_proto_level returns TLS1.2 assume no TLS1.1 is available That's the original problem, https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 . On Ubuntu SSL_CTX_get_min_proto_version() returns 0 (lowest available version) and TLS1_VERSION is available. > 4) else try setting min_proto_level and run tests The setter SSL_CTX_set_min_proto_version() does not return an error indication. ** Bug watch added: github.com/openssl/openssl/issues #5127 https://github.com/openssl/openssl/issues/5127 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1917625 Title: OpenSSL TLS 1.1 handshake fails internal error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
