Le 26/05/2026 à 21:42, Sebastian Andrzej Siewior a écrit :
Yes, that would be what you really want: Not touching min/max and
leaving the defaults.
Historicly speaking, we had SSLv2 and then SSLv3. So first you used
SSLv2() and then with the introduction of SSLv3 the default was
SSLv23() which made both version possible choosing the higher one.
It has been made possible to force a specfic version (by using SSLv2()
SSLv3() and later TLSv1() for v1.0) because it happend that one side had
a buggy stack and forcing the specific version on the client side was a
way to workaround the buggy stack.
This version setting made its way through most clients and everyone
assumed it is needed.
SSLv23 was the "default" which also enabled TLSv1.0+ but the naming led
to confusions on its own.
Today, openssl forces various things by default such as protocol version
v1.2+. This means if the client forces TLSv1 (min+max) then a connection
is not possible unless the remote side explicitly allows TLSv1. Since at
least Bookworm TLSv1.2 is the lower end.
Idealy you want TLSv1.3(+) (again since Bookworm at least) where you
have things such as PFS so every connection is secured with its own
session key.
SSLv3 and lower is disabled in Debian at compile time (and I think in v4
it was ripped out).
TLSv1.1 and lower is disabled by default at runtime and can be
overwritten at runtime via openssl.cnf.
Thank you for your explanations. I've updated ocaml-ssl and
ocaml-conduit, and checked that belenios compiles with libssl-dev from
experimental.
Cheers,
--
Stéphane
