On 9 Dec 2024, at 17:38, Ilya Maximets wrote:
> The NO options are deprecated since OpenSSL 1.1.0:
> * SSL_OP_NO_SSLv3
> * SSL_OP_NO_TLSv1
> * SSL_OP_NO_TLSv1_1
> * SSL_OP_NO_TLSv1_2
>
> SSL_CTX_set_min/max_proto_version API should be used instead.
>
> Change the "ssl-protocols" configuration option to parse values and
> enable ranges with this new API instead. This means that we'll start
> enabling protocols that may not be enabled by the user, e.g.
> --ssl-protocols="TLSv1,TLSv1.2" will now enable TLSv1.1 as well.
> But it's probably not a big deal, and there will be no way to turn off
> one protocol in the middle in the future anyway, since the OpenSSL
> API required to do so is deprecated. And such configurations are
> very unlikely to be used in practice. At least, that was one of the
> reasons for OpenSSL to change the API in the first place.
>
> While at it, allow users to configure simple ranges, instead of lists.
> For example, OVS will now allow values like "TLSv1-TLSv1.2" to enable
> all versions between TLSv1 and TLSv1.2, or "TLSv1.1+" to allow TLSv1.1
> or any later version. The option still accepts a list of protocols or
> exactly one range.
>
> Signed-off-by: Ilya Maximets <[email protected]>
Patchwork did not like the cover letter ACK, so will ack them individually.
Acked-by: Eelco Chaudron <[email protected]>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
