On Mon Dec 08 20:20:44 2014, sdao...@yandex.com wrote: > Hello, > > and finally i propose three new values for the "Protocol" slot of > SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE. >
Just to add my 2p to this thread which seems to have veered into rather different territory... I don't think it's appropriate to have a "VULNERABLE" option as a protocol selection value partly because vulnerability rarely affects a whole protocol version, just aspects of it. You can (for example) restrict yourself to TLS v1.2 and still do insecure things such as talk to servers with 512 bit RSA keys or using 256 bit DH parameters. Your request seems closer to the "security levels" code which is currently only in the OpenSSL master branch. It will by default reject many things: including the RSA, DH examples above. An application can increase the security level to make things stricter (but this will fail for many existing servers so it isn't the default), disable it completely and handle everything themselves (which is what previous versions of OpenSSL do) or have finer control using an application specific callback. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org _______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
