Backport some protocol-version-related changes #4376

kaduk · 2017-09-15T15:49:11Z

Backport #3422 and #4364 , since the former removed some conflicts for the latter, and both had man page path changes needed.
util/private.num does not exist on the 1.1.0 branch.

If the result of a SSL_{CTX_,}set_{min,max}_proto_version() call leaves the min and max version identical, and support for that version is compiled out of the library, return an error. Such an object has no hope of successfully completing a handshake, and this error may be easier to decipher than the resulting handshake failure. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from openssl#3422) (cherry picked from commit c8feba7) Updated the cherry-pick to not reference TLS1_3_VERSION, which does not exist on this branch.

OpenSSL 1.1.0 made SSL_CTX and SSL structs opaque and introduced a new API to set the minimum and maximum protocol version for SSL_CTX with TLS_method(). Add getters to introspect the configured versions: int SSL_CTX_get_min_proto_version(SSL_CTX *ctx); int SSL_CTX_get_max_proto_version(SSL_CTX *ctx); int SSL_get_min_proto_version(SSL *ssl); int SSL_get_max_proto_version(SSL *ssl); NOTE: The getters do not resolv the version in case when the minimum or maxium version are configured as '0' (meaning auto-select lowest and highst version number). Signed-off-by: Christian Heimes <christian@python.org> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from openssl#4364) (cherry picked from commit 3edabd3) Updated for new manual page location and TLS 1.3.

If the result of a SSL_{CTX_,}set_{min,max}_proto_version() call leaves the min and max version identical, and support for that version is compiled out of the library, return an error. Such an object has no hope of successfully completing a handshake, and this error may be easier to decipher than the resulting handshake failure. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit c8feba7) Updated the cherry-pick to not reference TLS1_3_VERSION, which does not exist on this branch. (Merged from #4376)

OpenSSL 1.1.0 made SSL_CTX and SSL structs opaque and introduced a new API to set the minimum and maximum protocol version for SSL_CTX with TLS_method(). Add getters to introspect the configured versions: int SSL_CTX_get_min_proto_version(SSL_CTX *ctx); int SSL_CTX_get_max_proto_version(SSL_CTX *ctx); int SSL_get_min_proto_version(SSL *ssl); int SSL_get_max_proto_version(SSL *ssl); NOTE: The getters do not resolv the version in case when the minimum or maxium version are configured as '0' (meaning auto-select lowest and highst version number). Signed-off-by: Christian Heimes <christian@python.org> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (cherry picked from commit 3edabd3) Updated for new manual page location and TLS 1.3. (Merged from #4376)

kaduk · 2017-09-15T16:47:57Z

merged; closing.

kaduk and others added 2 commits September 15, 2017 10:24

richsalz approved these changes Sep 15, 2017

View reviewed changes

kaduk mentioned this pull request Sep 15, 2017

Provide getters for min/max proto version #4364

Closed

2 tasks

kaduk closed this Sep 15, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Backport some protocol-version-related changes #4376

Backport some protocol-version-related changes #4376

kaduk commented Sep 15, 2017

kaduk commented Sep 15, 2017

Backport some protocol-version-related changes #4376

Backport some protocol-version-related changes #4376

Conversation

kaduk commented Sep 15, 2017

kaduk commented Sep 15, 2017