Jeffrey Walton wrote in <cah8yc8k01peivvgmp7hk2mw7wtfxvohmfrf7frr6nwkkzvu...@mail.gmail.com>: |On Wed, Aug 7, 2024 at 4:47 PM Steffen Nurpmeso <stef...@sdaoden.eu> wrote: |> [...] |> Given that most sensitive software supports easy configuration, for |> example by passing through "MinProtocol" configuration settings to |> *SSL (and i so much like the possibility of a "global central |> OpenSSL configuration file" that bundles all relevant settings, |> yet so few programs support that possibility), topics like these |> always strike me as hysteria. And before the ears ring, i quickly |> say "as defaults are safe". | |Small nit: there is no SSL or TLS min version or max version. | |There is a TLS record version, and a TLS protocol version. The record |layer carries the protocol messages. The record version is kind of |boring. It has not changed much, and I would speculate you could |select TLS 1.0 and it would be the same as TLS 1.2 or TLS 1.3 (though |I did not verify the claim). The TLS protocol version is much more |interesting, and it is what people customarily think of when they hear |TLS 1.0, TLS 1.2, and TLS 1.3. It changed a lot between TLS 1.1/TLS |1.2, and TLS 1.2/TLS 1.3. | |TLS record version and TLS protocol version are _not_ a range of |min/max. They are discrete versions of the protocol for the underlying |transport (record) and the upper protocol data units (messages). | |Also see <https://datatracker.ietf.org/doc/html/rfc5246#appendix-E>. |It talks about how to set the various versions for maximum |interoperability.
Ok -- i was talking about the actual OpenSSL interface in question, like SSL_CTX_set_min_proto_version(3), and -- much much more so! -- the wonderful SSL_CONF_CTX that i as an application / library programmer can "pass through" to users, via the much beloved SSL_CONF_CMD(3ssl), so that they can interact with the *SSL library directly, via strings. (And there is "MinProtocol".) --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) | | Only during dog days: | On the 81st anniversary of the Goebbel's Sportpalast speech | von der Leyen gave an overlong hypocritical inauguration one. | The brew's essence of our civilizing advancement seems o be: | Total war - shortest war -> Permanent war - everlasting war
