[openssl-dev] [openssl.org #3627] Enhancement request: add more "Protocol" options for SSL_CONF_CTX
Stephen Henson via RT
rt at openssl.org
Thu Dec 11 16:52:10 UTC 2014
On Mon Dec 08 20:20:44 2014, sdaoden at yandex.com wrote:
> Hello,
>
> and finally i propose three new values for the "Protocol" slot of
> SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE.
>
Just to add my 2p to this thread which seems to have veered into rather
different territory...
I don't think it's appropriate to have a "VULNERABLE" option as a protocol
selection value partly because vulnerability rarely affects a whole protocol
version, just aspects of it. You can (for example) restrict yourself to TLS
v1.2 and still do insecure things such as talk to servers with 512 bit RSA keys
or using 256 bit DH parameters.
Your request seems closer to the "security levels" code which is currently only
in the OpenSSL master branch. It will by default reject many things: including
the RSA, DH examples above. An application can increase the security level to
make things stricter (but this will fail for many existing servers so it isn't
the default), disable it completely and handle everything themselves (which is
what previous versions of OpenSSL do) or have finer control using an
application specific callback.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list