oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: feedback requested regarding deprecation of TLS 1.0/1.1

From: Steffen Nurpmeso <steffen () sdaoden eu>
Date: Thu, 08 Aug 2024 20:41:18 +0200
Jeffrey Walton wrote in
 <CAH8yC8k01PEivvgmP7hk2mW7WTfxVohmFrF7FRr6NwkkzVUj3A () mail gmail com>:
 |On Wed, Aug 7, 2024 at 4:47 PM Steffen Nurpmeso <steffen () sdaoden eu> wrote:
 |> [...]
 |> Given that most sensitive software supports easy configuration, for
 |> example by passing through "MinProtocol" configuration settings to
 |> *SSL (and i so much like the possibility of a "global central
 |> OpenSSL configuration file" that bundles all relevant settings,
 |> yet so few programs support that possibility), topics like these
 |> always strike me as hysteria.  And before the ears ring, i quickly
 |> say "as defaults are safe".
 |
 |Small nit: there is no SSL or TLS min version or max version.
 |
 |There is a TLS record version, and a TLS protocol version. The record
 |layer carries the protocol messages. The record version is kind of
 |boring. It has not changed much, and I would speculate you could
 |select TLS 1.0 and it would be the same as TLS 1.2 or TLS 1.3 (though
 |I did not verify the claim). The TLS protocol version is much more
 |interesting, and it is what people customarily think of when they hear
 |TLS 1.0, TLS 1.2, and TLS 1.3. It changed a lot between TLS 1.1/TLS
 |1.2, and TLS 1.2/TLS 1.3.
 |
 |TLS record version and TLS protocol version are _not_ a range of
 |min/max. They are discrete versions of the protocol for the underlying
 |transport (record) and the upper protocol data units (messages).
 |
 |Also see <https://datatracker.ietf.org/doc/html/rfc5246#appendix-E>.
 |It talks about how to set the various versions for maximum
 |interoperability.

Ok -- i was talking about the actual OpenSSL interface in
question, like SSL_CTX_set_min_proto_version(3), and -- much much
more so! -- the wonderful SSL_CONF_CTX that i as an application /
library programmer can "pass through" to users, via the much
beloved SSL_CONF_CMD(3ssl), so that they can interact with the
*SSL library directly, via strings.  (And there is "MinProtocol".)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
|
| Only during dog days:
| On the 81st anniversary of the Goebbel's Sportpalast speech
| von der Leyen gave an overlong hypocritical inauguration one.
| The brew's essence of our civilizing advancement seems o be:
|   Total war - shortest war -> Permanent war - everlasting war
Previous By Date Next
Previous By Thread Next

Current thread: