Comment 8 for bug 1917625

> I feel that openssl upstream needs to add: server_context.verify_consistent()

Yeah, I agree with you. :) The idea came up three years ago when I filed issue https://github.com/openssl/openssl/issues/5127

> 1) if openssl version 3.x, and security level is greater than 0, assume no TLS1.1 is available

Thank you, I'll consider this fact when I implement OpenSSL 3.0.0 support

> 2) if openssl version 1.1.1+, and security level is greater than 1, assume no TLS1.1 is available

TLS 1.1 connections work fine on seclevel 2 with default upstream OpenSSL 1.1.1 and with Fedora's OpenSSL 1.1.1 using crypto-policy "DEFAULT". I'm using

    server_context.set_ciphers("@SECLEVEL=2:ALL")

to change the security level. Here Ubuntu deviates from standard OpenSSL 1.1.1 policies. So I ask again: Should we detect and special case the deviation and document it?

> 3) if ctx.get_min_proto_level returns TLS1.2 assume no TLS1.1 is available

That's the original problem, https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 . On Ubuntu SSL_CTX_get_min_proto_version() returns 0 (lowest available version) and TLS1_VERSION is available.

> 4) else try setting min_proto_level and run tests

The setter SSL_CTX_set_min_proto_version() does not return an error indication.