[squid-dev] [PATCH] replacement of sslversion=N by tls-min-version=1.N

Amos Jeffries squid3 at treenet.co.nz
Fri May 22 09:50:40 UTC 2015


On 15/05/2015 2:19 p.m., Amos Jeffries wrote:
> Overall the default behaviour is changed from enumerating the protocols
> wanted. To limiting the unwanted.
> 
> 
> * sslversion= parameter is removed from documentation.
> 
> * sslversion= code logics is converted from setting the SSL_*_method()
> function to setting the ssloptions= masking parameters.
> 
> Yes this will open a hole for future libraries use of TLSv1.3. However
> that is kind of desirable and if it becomes a problem the
> ssloptions=NO_TLSv1_3 should be made available.
> 
> 
> * The SSL_*_method() logic is all converted to using the flexible
> SSLv23_*_method() API.
> 
> That API follows the latest specification behaviour: to send a protocol
> frame type that any recipient should be able to parse (library decides
> which), while only negotiating the protocol type permitted.
> 
> 
> * A new option tls-min-version=1.N is added to server connection
> directives. It controls *only* the TLS version range.
> 
>  - http(s)_port directives are not (yet) implemented using
> Security::PeerOptions. For now they are left with options= masking to
> select protocol support.
> 
>  - SSLv3 is left at the library default unless ssloptions=NO_SSLv3 is used.
> 
> 
> * ssloptions= is left alone so anyone can still set the library options
> masks to control SSLv3 enable/disable or specific TLS versions higher
> than the configured minimum.


This was applied to trunk in rev.14084 with one small addition for
OpenSSL 1.1.0 to use TLS_*_method() API which has deprecated
SSLv23_*_method() API.

Amos



More information about the squid-dev mailing list