diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2020-07-16 23:30:43 -0200 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2020-07-21 16:40:07 -0200 |
commit | 77174598920a05826a28d8a0bd87a3af43d3f4d8 (patch) | |
tree | ed3d423072d3f399e583d1cc7787f1d5490a3e0e /doc/man5 | |
parent | 5ac582d949c4f0dbf919c99d59496035a1f7e982 (diff) |
Avoid errors with a priori inapplicable protocol bounds
The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configurign DTLS-based contexts,
and conversely, silently ignore DTLS protocol version bounds when
configuring TLS-based contexts. The commands can be repeated to set
bounds of both types. The same applies with the corresponding
"min_protocol" and "max_protocol" command-line switches, in case some
application uses both TLS and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
Expected to resolve #12394
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #12472
Diffstat (limited to 'doc/man5')
-rw-r--r-- | doc/man5/config.pod | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 58948b4b78..2618cef588 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -299,10 +299,15 @@ section with the configuration for that name. For example: The configuration name B<system_default> has a special meaning. If it exists, it is applied whenever an B<SSL_CTX> object is created. For example, -to impose a system-wide minimum on protocol version: +to impose system-wide minimum TLS and DTLS protocol versions: [tls_system_default] MinProtocol = TLSv1.2 + MinProtocol = DTLSv1.2 + +The minimum TLS protocol is applied to B<SSL_CTX> objects that are TLS-based, +and the minimum DTLS protocol to those are DTLS-based. +The same applies also to maximum versions set with B<MaxProtocol>. Each configuration section consists of name/value pairs that are parsed by B<SSL_CONF_cmd(3)>, which will be called by SSL_CTX_config() or |