Mark TLSv1, TLSv1_1, TLSv1_2 as deprecated

CHANGES.md

@@ -12,7 +12,9 @@ Unreleased
 - Fix calls in C stubs that need to call `ERR_clear_error` before the underlying
   OpenSSL call (#118)
 - Add a module `Ssl.Error` to retrieve OpenSSL errors in a structured way (#119)
-
+- Deprecate Ssl.{SSLv23,SSLv3,TLSv1,TLSv1_1}, which were were formally
+  deprecated in March 2021 and earlier (#115).
+
 0.5.13 (2022-10-20)
 =====
 

examples/stalkd.ml

@@ -48,7 +48,7 @@ let establish_threaded_server server_handler sockaddr nbconn =
     server_handler inet_addr s;
     Ssl.shutdown s
   in
-  let ctx = Ssl.create_context Ssl.SSLv23 Ssl.Server_context in
+  let[@ocaml.alert "-deprecated"] ctx = Ssl.create_context Ssl.SSLv23 Ssl.Server_context in
   if !password <> "" then
     Ssl.set_password_callback ctx (fun _ -> !password);
   Ssl.use_certificate ctx !certfile !privkey;

examples/stelnet.ml

@@ -55,7 +55,7 @@ let _ =
     )
   in
   let sockaddr = ADDR_INET(he.h_addr_list.(0), !port) in
-  let ssl =
+  let[@ocaml.alert "-deprecated"] ssl =
     if not !parano then
       Ssl.open_connection Ssl.SSLv23 sockaddr
     else

src/ssl.mli

@@ -223,12 +223,23 @@ end
 
 (** Protocol used by SSL. *)
 type protocol =
-  | SSLv23 (** accept all possible protocols (SSLv2 if supported by openssl,
-               SSLv3, TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3) *)
-  | SSLv3 (** only SSL v3 protocol *)
-  | TLSv1 (** only TLS v1 protocol *)
-  | TLSv1_1 (** only TLS v1.1 protocol *)
+  | SSLv23
+    [@ocaml.alert deprecated "SSL 2.0 was deprecated in 2011 by RFC 6176."]
+    (** accept all possible protocols (SSLv2 if supported by openssl,
+        SSLv3, TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3) *)
+  | SSLv3
+    [@ocaml.alert deprecated "SSL 3.0 was deprecated in June 2015 by RFC 7568."]
+    (** only SSL v3 protocol *)
+  | TLSv1
+    [@ocaml.alert deprecated
+      "TLS 1.0 and 1.1 were formally deprecated in RFC8996 in March 2021."]
+    (** only TLS v1 protocol *)
+  | TLSv1_1
+    [@ocaml.alert deprecated
+      "TLS 1.0 and 1.1 were formally deprecated in RFC8996 in March 2021."]
+    (** only TLS v1.1 protocol *)
   | TLSv1_2 (** only TLS v1.2 protocol *)
+
   | TLSv1_3 (** only TLS v1.3 protocol *)
 
 (** An SSL abstract socket. *)
@@ -466,7 +477,7 @@ val file_descr_of_socket : socket -> Unix.file_descr
 
 (** The main SSL communication functions that can block if sockets are in blocking
     mode. This set of functions releases the OCaml runtime lock, which can require
-    extra copying of application data. The module [Runtime_lock] provided below 
+    extra copying of application data. The module [Runtime_lock] provided below
     lifts this limitation by never releasing the OCaml runtime lock. *)
 
 (** Connect an SSL socket. *)

tests/ssl_ciphers.ml

@@ -3,7 +3,7 @@ open Alcotest
 open Util
 let test_disable_protocols () =
   let context = Ssl.create_context TLSv1_3 Server_context in
-  Ssl.disable_protocols context [SSLv23];
+  Ssl.disable_protocols context [(SSLv23 [@ocaml.alert "-deprecated"])];
   check bool "no errors" true (Ssl.get_error_string () |> check_ssl_no_error )
 
 let test_set_cipher_list () =
@@ -53,4 +53,4 @@ Alcotest.run "Ssl cipher functions"
         test_case "Init EC params" `Quick test_init_ec_from_named_curve;
         test_case "Cipher funcs" `Quick test_socket_cipher_funcs;
       ] );
-  ]
+  ]

tests/util.ml

@@ -76,7 +76,7 @@ let server_thread addr parser =
 
 let check_ssl_no_error err = Str.string_partial_match (Str.regexp_string "error:00000000:lib(0)") err 0
 
-let pp_protocol ppf = function
+let[@ocaml.alert "-deprecated"] pp_protocol ppf = function
   | SSLv23 -> Format.fprintf ppf "SSLv23"
   | SSLv3 -> Format.fprintf ppf "SSLv3"
   | TLSv1 -> Format.fprintf ppf "TLSv1"