[openssl-dev] [openssl.org #3627] Enhancement request: add more "Protocol" options for SSL_CONF_CTX

[Steffen Nurpmeso via RT]

Hello,

and finally i propose three new values for the "Protocol" slot of
SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE.

I included OLDEST for completeness sake, NEWEST is in effect what
i've always forced for my thing whenever possible, and encouraged
users to use themselve, but of course it was pretty inflexible
before the advent of NEWEST.  :)

I think VULNERABLE is a good thing to have despite it's
humiliating name, because it could be used to automatically secure
users by simply updating the OpenSSL library, effectively giving
the option to obsolete insecure protocols faster than what was
possible in the past, and of course: only possibly so.
But anyway: in my opinion it would be a real security improvement
if users could either use "-ALL,NEWEST", or, shall that not be
possible, "ALL,-VULNERABLE", rather in the spirit "configure once
and forget, but stay secure".  Or something along these lines.

Find attached a patch that does this and can be applied on top of
the other two patches i've send regarding SSL_CONF_CTX.
Notes:

  - Readds a dummy SSLv2 value (thus includes a patch for the
    other issue i've opened).

  - Fixes some whitespace-at-eol issues of the .pod.

Thanks and ciao.

P.S.: i plan to release a new minor of my thing before the
christian christmas feast, it would be _really_ great to know what
the OpenSSL thinks regarding the function renaming and these new
values, since i'm switching over to the new SSL_CONF_CTX interface
and am implementing a wrapper unless HAVE_OPENSSL_CONF_CTX becomes
omnipresent.
Thank you.

--steffen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl_conf-more-opts.diff
Type: text/x-diff
Size: 5752 bytes
Desc: not available
URL: <http://mta.opensslfoundation.net/pipermail/openssl-dev/attachments/20141208/8c9f0a48/attachment.diff>