[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5655) add option for setting minimum TLS/SSL protocol

On Wed, 13 Aug 2008, Howard Chu wrote:
> This should use a single option flag and a numeric or bitfield argument 
> for selecting protocols instead. Since we're talking about minimum 
> settings, it should likely just be an increasing range of numbers.
> I note that the on-the-wire protocol version is just a 16 bit integer; 
> we could define protocol names that correspond directly to these values.

OpenSSL's API for this is a bitfield with symbolic names, so there would 
still need to be a maintained mapping from whatever schema OpenLDAP 
provided to that bit set.

I guess an alternative would be to directly expose the 
SSL_CTX_set_options() API: TLS_OPTIONS would take a number and pass it 
directly to that call.  Of course, the admin would have to read the .h 
file and do some math to figure out what to set, and there's no guarantee 
that OpenSSL won't change those values across a version change...

Philip Guenther