On 2017-08-27 12:46:59 [+0200], To Timo Sirainen wrote:
On 27 August 2017 08:32:06 CEST, Timo Sirainen tss@iki.fi wrote:
DEF(SET_STR, ssl_protocols), DEF(SET_STR, ssl_cert_username_field), DEF(SET_STR, ssl_crypto_device),
- DEF(SET_STR, ssl_lowest_version),
Does it really require a new setting? Couldn't it use the existing ssl_protocols setting? You need to set a minimal version. SSL_PROTOLS can be set tls1.0 and tls1.2 which avoids tls1.1. Not saying that it is a good thing to do. Also you set it to not do sslv2 and sslv3 which then enables tls1.0+. If you want change its definition to use as a minimal version, be my guest. Or if you plan to scan the string and match for the lowest version then this could work, too.
Now that I looked at the source. There is openssl_get_protocol_options() which could be used to figure out the lowest protocol version. Please be aware that SSL_OP_NO_TLSv1 and friends are deprecated as of openssl 1.1.0. So setting an explicit version looks more future proof. I currently don't have an opinion about "always" enabling TLS1.0 by default (since the !SSLv2 !SSLv3 line would enable TLS1.0+ and so set min protocol version TLS1.0). So it is up to you, I could prepare a patch doing that…
Sebastian