[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5655) add option for setting minimum TLS/SSL protocol



Philip Guenther wrote:
> On Wed, 13 Aug 2008, Howard Chu wrote:
>> This should use a single option flag and a numeric or bitfield argument
>> for selecting protocols instead. Since we're talking about minimum
>> settings, it should likely just be an increasing range of numbers.
>>
>> I note that the on-the-wire protocol version is just a 16 bit integer;
>> we could define protocol names that correspond directly to these values.
>
> OpenSSL's API for this is a bitfield with symbolic names, so there would
> still need to be a maintained mapping from whatever schema OpenLDAP
> provided to that bit set.

Yes, but there's no forward compatibility impact from this. I.e., if we have 
to map numbers to bitfields, we can just have a default case: if the number is 
higher than any we recognize, just disable all the bits we know about and 
assume the TLS library is smart enough to do something useful with whatever is 
left.

> I guess an alternative would be to directly expose the
> SSL_CTX_set_options() API: TLS_OPTIONS would take a number and pass it
> directly to that call.  Of course, the admin would have to read the .h
> file and do some math to figure out what to set, and there's no guarantee
> that OpenSSL won't change those values across a version change...

I think at this point we need to get away from using implementation-specific 
values. Back when OpenSSL was the only game in town I wouldn't have worried 
too much about it, but now it's becoming more of an issue.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/