Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240808184118.J7FhHVm2@steffen%sdaoden.eu>
Date: Thu, 08 Aug 2024 20:41:18 +0200
From: Steffen Nurpmeso <steffen@...oden.eu>
To: oss-security@...ts.openwall.com
Subject: Re: feedback requested regarding deprecation
 of TLS 1.0/1.1

Jeffrey Walton wrote in
 <CAH8yC8k01PEivvgmP7hk2mW7WTfxVohmFrF7FRr6NwkkzVUj3A@...l.gmail.com>:
 |On Wed, Aug 7, 2024 at 4:47 PM Steffen Nurpmeso <steffen@...oden.eu> wrote:
 |> [...]
 |> Given that most sensitive software supports easy configuration, for
 |> example by passing through "MinProtocol" configuration settings to
 |> *SSL (and i so much like the possibility of a "global central
 |> OpenSSL configuration file" that bundles all relevant settings,
 |> yet so few programs support that possibility), topics like these
 |> always strike me as hysteria.  And before the ears ring, i quickly
 |> say "as defaults are safe".
 |
 |Small nit: there is no SSL or TLS min version or max version.
 |
 |There is a TLS record version, and a TLS protocol version. The record
 |layer carries the protocol messages. The record version is kind of
 |boring. It has not changed much, and I would speculate you could
 |select TLS 1.0 and it would be the same as TLS 1.2 or TLS 1.3 (though
 |I did not verify the claim). The TLS protocol version is much more
 |interesting, and it is what people customarily think of when they hear
 |TLS 1.0, TLS 1.2, and TLS 1.3. It changed a lot between TLS 1.1/TLS
 |1.2, and TLS 1.2/TLS 1.3.
 |
 |TLS record version and TLS protocol version are _not_ a range of
 |min/max. They are discrete versions of the protocol for the underlying
 |transport (record) and the upper protocol data units (messages).
 |
 |Also see <https://datatracker.ietf.org/doc/html/rfc5246#appendix-E>.
 |It talks about how to set the various versions for maximum
 |interoperability.

Ok -- i was talking about the actual OpenSSL interface in
question, like SSL_CTX_set_min_proto_version(3), and -- much much
more so! -- the wonderful SSL_CONF_CTX that i as an application /
library programmer can "pass through" to users, via the much
beloved SSL_CONF_CMD(3ssl), so that they can interact with the
*SSL library directly, via strings.  (And there is "MinProtocol".)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
|
| Only during dog days:
| On the 81st anniversary of the Goebbel's Sportpalast speech
| von der Leyen gave an overlong hypocritical inauguration one.
| The brew's essence of our civilizing advancement seems o be:
|   Total war - shortest war -> Permanent war - everlasting war

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.