OpenSSL min and max proto version options #3317
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
What's the status of this work ? Was this prompted by some other discussion on github, or is there an internals discussion about it ? I feel like I'm missing context, but it could just be because ... I'm missing context (I defer to you or others for reviewing these things) ... |
|
@krakjoe see https://externals.io/message/102369 Basically it will be merged soon if there are no objections :) |
bukka
force-pushed
the
openssl_proto_minmax
branch
from
d92ed2b to
d404b5e
Compare
clue
added a commit
to clue-labs/socket
that referenced
this pull request
Nov 17, 2019
Explicit TLS 1.3 will be available via in PHP 7.4: php/php-src#3909 Older PHP versions implicitly support TLS 1.3 provided that the underlying OpenSSL version supports TLS 1.3. However, for PHP 7.3 some recent changes implicitly disable TLS 1.3, so we skip TLS 1.3 tests on affected PHP versions: php/php-src#3317
clue
added a commit
to clue-labs/socket
that referenced
this pull request
Nov 17, 2019
Explicit TLS 1.3 will be available via in PHP 7.4: php/php-src#3909 Older PHP versions implicitly support TLS 1.3 provided that the underlying OpenSSL version supports TLS 1.3. However, for PHP 7.3 some recent changes implicitly disable TLS 1.3, so we skip TLS 1.3 tests on affected PHP versions: php/php-src#3317
clue
added a commit
to clue-labs/socket
that referenced
this pull request
Nov 17, 2019
Explicit TLS 1.3 support will be available in PHP 7.4: php/php-src#3909 Older PHP versions implicitly support TLS 1.3 provided that the underlying OpenSSL version supports TLS 1.3. However, for PHP 7.3 some recent changes implicitly disable TLS 1.3, so we skip TLS 1.3 tests on affected PHP versions: php/php-src#3317
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds two new options for ssl/tls streams to set min and max protocol version:
min_proto_version- minimal protocol versionmax_proto_version- maximal protocol versionThere are new stream constants that should be used as a value:
STREAM_CRYPTO_PROTO_SSLv3STREAM_CRYPTO_PROTO_TLSv1_0STREAM_CRYPTO_PROTO_TLSv1_1STREAM_CRYPTO_PROTO_TLSv1_2It is basically meant as a feature replacement for
crypto_methodthat requires setting of all allowed protocols as a mask which means that the protocol holes were allowed. That is also changed in this PR as protocol holes should not be used which is explicitly stated in OpenSSL docs:https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_new.html (notes section)
It means that
crypto_methodwill automatically fill missing protocols. For exampleSTREAM_CRYPTO_METHOD_TLSv1_0_SERVER | STREAM_CRYPTO_METHOD_TLSv1_2_SERVERwill also setSTREAM_CRYPTO_METHOD_TLSv1_1_SERVERas can be seen in the changedstream_crypto_flags_003.phpttest.