On Sat, May 30, 2020 at 08:41:04PM +0200, William Lallemand wrote: > On Sat, May 30, 2020 at 02:04:56PM -0400, Joseph C. Sible wrote: > > > Thanks for the feedbacks, I made the change and pushed it in the master. > > > > > > > I'm happy about this change, but I notice a flaw in its > > implementation: it looks like servers that specify "ssl-max-ver > > TLSv1.0" or "ssl-max-ver TLSv1.1" without specifying ssl-min-ver would > > previously have disallowed SSLv3, but will now allow it. (I hope this > > case doesn't actually exist anywhere in practice, but if it does for > > some reason, we probably don't want to make them even less secure.) > > > > Joseph C. Sible > > Hello Joseph, > > No change were made for server lines, we were only talking about bind > lines here. There was never a default minimum on server lines. > > On bind lines, indeed, if you set a maximum which is lower than the > default min, the default min won't be used. This was already the case > previously in fact, but the default was TLSv1.0 so it was less a > problem. > > What I suggest is to display a warning if it happens, so people don't have > any surprise. > > What do you think?
Actually I think in this case it's safer to fallback on min = max and to display the warning. -- William Lallemand
