[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5655) add option for setting minimum TLS/SSL protocol



On Tue, 19 Aug 2008, Howard Chu wrote:
> guenther@sendmail.com wrote:
...
> > TLS_PROTOCOL_MIN<major>,<minor>
> 
> Let's use US convention <major>.<minor>...

Ok.

> > C:
> > struct ldap_tls_protocol { unsigned char major, minor; } val;
> > val.major = 3; val.minor=0;
> > ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN,&val);
> 
> I would just use an int, and have the caller OR in the appropriate 
> values.

So: 
	/* force TLS 1.0 or later */
	ldap_set_option(ld, LDAP_OPT_TLS_PROTOCOL_MIN, (3 << 8) + 1);


> You could also define a few macros for the currently known versions.

Preferences on the format of those macros?

#define LDAP_OPT_X_TLS_PROTOCOL_SSLv2		(2 << 8)
#define LDAP_OPT_X_TLS_PROTOCOL_SSLv3		(3 << 8)
#define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_0		((3 << 8) + 1)
#define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_1		((3 << 8) + 2)
#define LDAP_OPT_X_TLS_PROTOCOL_TLSv1_2		((3 << 8) + 3)

?

> What are the values for TLS1.1, 1.2, etc?

So far, TLS 1.x == SSL version 3.(x+1).


Philip Guenther