Re: (ITS#5655) add option for setting minimum TLS/SSL protocol

[guenther+ldapdev@sendmail.com]

On Wed, 13 Aug 2008, Howard Chu wrote:
> Philip Guenther wrote:
...
> > OpenSSL's API for this is a bitfield with symbolic names, so there 
> > would still need to be a maintained mapping from whatever schema 
> > OpenLDAP provided to that bit set.
> 
> Yes, but there's no forward compatibility impact from this. I.e., if we 
> have to map numbers to bitfields, we can just have a default case: if 
> the number is higher than any we recognize, just disable all the bits we 
> know about and assume the TLS library is smart enough to do something 
> useful with whatever is left.

Hmm, with a warning in the docs "if you set this option to a value beyond 
the range understood by your version of OpenLDAP or the underlying SSL 
library, it may enforce a lower minimum or fail completely".


So instead of writing
	TLS_PROTOCOL_MIN TLSv1.0
they would write
	TLS_PROTOCOL_MIN 3,1

etc?  I guess that's acceptable to me, albeit a little user unfriendly.


> > I guess an alternative would be to directly expose the
> > SSL_CTX_set_options() API: TLS_OPTIONS would take a number and pass it
> > directly to that call.  Of course, the admin would have to read the .h
> > file and do some math to figure out what to set, and there's no guarantee
> > that OpenSSL won't change those values across a version change...
>
> I think at this point we need to get away from using implementation-specific
> values. Back when OpenSSL was the only game in town I wouldn't have worried
> too much about it, but now it's becoming more of an issue.

I guess I shouldn't have left out the "<joke>" brackets around that.


Philip