On Wed, Aug 7, 2024 at 4:47 PM Steffen Nurpmeso <[email protected]> wrote: > [...] > Given that most sensitive software supports easy configuration, for > example by passing through "MinProtocol" configuration settings to > *SSL (and i so much like the possibility of a "global central > OpenSSL configuration file" that bundles all relevant settings, > yet so few programs support that possibility), topics like these > always strike me as hysteria. And before the ears ring, i quickly > say "as defaults are safe".
Small nit: there is no SSL or TLS min version or max version. There is a TLS record version, and a TLS protocol version. The record layer carries the protocol messages. The record version is kind of boring. It has not changed much, and I would speculate you could select TLS 1.0 and it would be the same as TLS 1.2 or TLS 1.3 (though I did not verify the claim). The TLS protocol version is much more interesting, and it is what people customarily think of when they hear TLS 1.0, TLS 1.2, and TLS 1.3. It changed a lot between TLS 1.1/TLS 1.2, and TLS 1.2/TLS 1.3. TLS record version and TLS protocol version are _not_ a range of min/max. They are discrete versions of the protocol for the underlying transport (record) and the upper protocol data units (messages). Also see <https://datatracker.ietf.org/doc/html/rfc5246#appendix-E>. It talks about how to set the various versions for maximum interoperability. Jeff
