Switch to TLS 1.2 by default #21
Conversation
It's 2014, no idea how this made it as a default for the past 16 years...
|
Thanks. |
|
I didn't notice your last commit making tls1.2 the default until after I pushed. I rolled back that change. The reason is, ssl23 actually handles all of them (tls and ssl) via SSLv23_client_method(). This feature is actually document in the manual, and it's openssl's recommended default for compatibility. This can best be illustrated by setting up an openssl s_server instance only using tls1.2 (-tls1_2) and then have csocket connect to it using SSL23 and you'll see it works just fine. Making tls1.2 the default will cause it to fail on SSL3 connections, which perhaps is good on a security point of view, it is not good on a pragmatic point of view as I prefer this code to function out of the box. I updated the code comment to reflect this change so there is no further confusion. |
|
@jimloco Good catch, but SSL2 should be safe to disable. It has been known to be a vulnerable protocol for years. Check The Sorry State of SSL (9:10). Even Mozilla dropped it back in 2006. Would you accept a PR disabling SSLv2 by default? |
|
Yeah, that seems fair to me. Should be pretty simple to implement, thanks! |
No description provided.