> 1) if openssl version 3.x, and security level is greater than 0, assume no TLS1.1 is available
Thank you, I'll consider this fact when I implement OpenSSL 3.0.0 support
> 2) if openssl version 1.1.1+, and security level is greater than 1, assume no TLS1.1 is available
TLS 1.1 connections work fine on seclevel 2 with default upstream OpenSSL 1.1.1 and with Fedora's OpenSSL 1.1.1 using crypto-policy "DEFAULT". I'm using
server_context.set_ciphers("@SECLEVEL=2:ALL")
to change the security level. Here Ubuntu deviates from standard OpenSSL 1.1.1 policies. So I ask again: Should we detect and special case the deviation and document it?
> 3) if ctx.get_min_proto_level returns TLS1.2 assume no TLS1.1 is available
> I feel that openssl upstream needs to add: server_ context. verify_ consistent( )
Yeah, I agree with you. :) The idea came up three years ago when I filed issue https:/ /github. com/openssl/ openssl/ issues/ 5127
> 1) if openssl version 3.x, and security level is greater than 0, assume no TLS1.1 is available
Thank you, I'll consider this fact when I implement OpenSSL 3.0.0 support
> 2) if openssl version 1.1.1+, and security level is greater than 1, assume no TLS1.1 is available
TLS 1.1 connections work fine on seclevel 2 with default upstream OpenSSL 1.1.1 and with Fedora's OpenSSL 1.1.1 using crypto-policy "DEFAULT". I'm using
server_ context. set_ciphers( "@SECLEVEL= 2:ALL")
to change the security level. Here Ubuntu deviates from standard OpenSSL 1.1.1 policies. So I ask again: Should we detect and special case the deviation and document it?
> 3) if ctx.get_ min_proto_ level returns TLS1.2 assume no TLS1.1 is available
That's the original problem, https:/ /bugs.launchpad .net/ubuntu/ +source/ openssl/ +bug/1899878 . On Ubuntu SSL_CTX_ get_min_ proto_version( ) returns 0 (lowest available version) and TLS1_VERSION is available.
> 4) else try setting min_proto_level and run tests
The setter SSL_CTX_ set_min_ proto_version( ) does not return an error indication.