On Sat, May 30, 2020 at 02:04:56PM -0400, Joseph C. Sible wrote: > > Thanks for the feedbacks, I made the change and pushed it in the master. > > > > I'm happy about this change, but I notice a flaw in its > implementation: it looks like servers that specify "ssl-max-ver > TLSv1.0" or "ssl-max-ver TLSv1.1" without specifying ssl-min-ver would > previously have disallowed SSLv3, but will now allow it. (I hope this > case doesn't actually exist anywhere in practice, but if it does for > some reason, we probably don't want to make them even less secure.) > > Joseph C. Sible
Hello Joseph, No change were made for server lines, we were only talking about bind lines here. There was never a default minimum on server lines. On bind lines, indeed, if you set a maximum which is lower than the default min, the default min won't be used. This was already the case previously in fact, but the default was TLSv1.0 so it was less a problem. What I suggest is to display a warning if it happens, so people don't have any surprise. What do you think? -- William Lallemand
