[openssl-dev] [openssl.org #3627] Enhancement request: add more "Protocol" options for SSL_CONF_CTX
Richard Moore via RT
rt at openssl.org
Tue Dec 9 12:15:58 UTC 2014
On 9 December 2014 at 11:35, Steffen Nurpmeso <sdaoden at yandex.com> wrote:
> Richard Moore <richmoore44 at gmail.com> wrote:
> |On 8 December 2014 at 19:20, Steffen Nurpmeso via RT <rt at openssl.org>
> wrote:
> |> and finally i propose three new values for the "Protocol" slot of
> |> SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE.
> |
> |In Qt we've added an enum value for TLS versions that is SecureProtocols
> so
> |that we could remove versions as required without requiring apps to be
> |updated. It's an open question which is more likely to get updated - Qt
> or
> |the apps of course. For Qt 5.4 which is due out this week we've removed
> |SSL3 from this enum so apps will silently get updated to drop support for
> |it.
>
> I see. And i think this is the most impressive or, lesser
> enthusiastic, important feature of the slow _CONF_ interface: that
> users can use strings and that those are directly swallowed by the
> OpenSSL library, so that neither recompilation nor understanding
> is necessary on the program side in order to upgrade to a new
> level of security.
>
The API we offer in Qt isn't tied to openssl so we can't do that. We also
support a Windows RT backend and a SecureTransport backend is under
development too.
> (As a side note: SecureProtocols is such a Volvo wording...
> Doesn't vulnerable energises a deeper feeling of insecurity?
> I think Hitchcock would have used the naked and bare vulnerable.)
>
That's partly due to the API naming conventions for enums. :-)
Rich.
More information about the openssl-dev
mailing list