[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
On Tue, 19 Aug 2008, Howard Chu wrote:
> guenther@sendmail.com wrote:
...
> > TLS_PROTOCOL_MIN<major>,<minor>
>
> Let's use US convention <major>.<minor>...
Ok.
> > C:
> > struct ldap_tls_protocol { unsigned char major, minor; } val;
> > val.major = 3; val.minor=0;
> > ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN,&val);
>
> I would just use an int, and have the caller OR in the appropriate
> values.
So:
/* force TLS 1.0 or later */
ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN, (3 << 8) + 1);
> You could also define a few macros for the currently known versions.
Preferences on the format of those macros?
#define LDAP_OPT_X_TLS_PROTOCOL_SSLv2 (2 << 8)
#define LDAP_OPT_X_TLS_PROTOCOL_SSLv3 (3 << 8)
#define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_0 ((3 << 8) + 1)
#define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_1 ((3 << 8) + 2)
#define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_2 ((3 << 8) + 3)
?
> What are the values for TLS1.1, 1.2, etc?
So far, TLS 1.x == SSL version 3.(x+1).
Philip Guenther