On 2017-08-27 12:46:59 [+0200], To Timo Sirainen wrote: > On 27 August 2017 08:32:06 CEST, Timo Sirainen <t...@iki.fi> wrote: > >> DEF(SET_STR, ssl_protocols), > >> DEF(SET_STR, ssl_cert_username_field), > >> DEF(SET_STR, ssl_crypto_device), > >> + DEF(SET_STR, ssl_lowest_version), > > > >Does it really require a new setting? Couldn't it use the existing > >ssl_protocols setting? > You need to set a minimal version. SSL_PROTOLS can be set tls1.0 and tls1.2 > which avoids tls1.1. Not saying that it is a good thing to do. Also you set > it to not do sslv2 and sslv3 which then enables tls1.0+. > If you want change its definition to use as a minimal version, be my guest. > Or if you plan to scan the string and match for the lowest version then this > could work, too.
Now that I looked at the source. There is openssl_get_protocol_options() which could be used to figure out the lowest protocol version. Please be aware that SSL_OP_NO_TLSv1 and friends are deprecated as of openssl 1.1.0. So setting an explicit version looks more future proof. I currently don't have an opinion about "always" enabling TLS1.0 by default (since the !SSLv2 !SSLv3 line would enable TLS1.0+ and so set min protocol version TLS1.0). So it is up to you, I could prepare a patch doing that… Sebastian
