[openssl-dev] [openssl.org #3627] Enhancement request: add more "Protocol" options for SSL_CONF_CTX
Steffen Nurpmeso
sdaoden at yandex.com
Tue Dec 9 11:35:30 UTC 2014
Richard Moore <richmoore44 at gmail.com> wrote:
|On 8 December 2014 at 19:20, Steffen Nurpmeso via RT <rt at openssl.org> wrote:
|> and finally i propose three new values for the "Protocol" slot of
|> SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE.
|
|In Qt we've added an enum value for TLS versions that is SecureProtocols so
|that we could remove versions as required without requiring apps to be
|updated. It's an open question which is more likely to get updated - Qt or
|the apps of course. For Qt 5.4 which is due out this week we've removed
|SSL3 from this enum so apps will silently get updated to drop support for
|it.
I see. And i think this is the most impressive or, lesser
enthusiastic, important feature of the slow _CONF_ interface: that
users can use strings and that those are directly swallowed by the
OpenSSL library, so that neither recompilation nor understanding
is necessary on the program side in order to upgrade to a new
level of security.
(As a side note: SecureProtocols is such a Volvo wording...
Doesn't vulnerable energises a deeper feeling of insecurity?
I think Hitchcock would have used the naked and bare vulnerable.)
Ciao,
--steffen
More information about the openssl-dev
mailing list