> On Oct 16, 2014, at 7:26 PM, Jacques Distler <dist...@golem.ph.utexas.edu>
> wrote:
>
> I was confused by this, too. According to
>
> https://www.openssl.org/docs/ssl/SSL_CTX_new.html
> <https://www.openssl.org/docs/ssl/SSL_CTX_new.html>
>
> SSLv23_method is a catch-all, allowing connections using SSLv2, SSLv3, TLSv1,
> TLSv1.1 and TLSv1.2 protocols. You can then exclude particular protocols
> using, e.g.,
>
> SSL_OP_NO_TLSv1_1
>
> to exclude TLSv1.1 (while still allowing the others).
>
> By contrast, TLSv1_method (or SSLv3_method) allows only connections using
> that particular protocol (respectively TLSv1 and SSLv3).
>
> That may be OK. All (or almost all) clients speak TLSv1. But it would be
> preferable to allow them to negotiate a TLSv1.2 connection if possible.
For what it's worth, this is the highly bizarre way that OpenSSL requires you
to specify your protocol version requirements. In TLS itself, there's no such
thing as a "method", just a protocol version. You're absolutely right that
SSLv23_METHOD has nothing to do with SSLv2 or SSLv3 and just means "negotiate a
protocol version out of an allowable set".
In a future version of Twisted there will be the ability to specify minimum
protocol version and excluded protocol version arguments, and SSLv23_METHOD
should hopefully fade away and disappear into an internal implementation detail
somewhere inside Twisted's TLS layer...
-glyph
_______________________________________________
calendarserver-users mailing list
calendarserver-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/calendarserver-users
