On Wed, Nov 16, 2016 at 10:58:17PM +0000, Craig_Weeks@xxxxxxxxxxxxxx wrote: > Our product is going to provide runtime options to the user to enable and > disable TLS 1.0, 1.1 and 1.2 in a discrete manner. This is a bad interface. Do not implement this feature. Instead support only a contiguous range of protocol versions, by allowing the user to specify a lowest supported version and a highest supported version. This maps directly onto the OpenSSL 1.1.0 API, but in older versions you'll need to map these onto corresponding: SSL_OP_NO_... macros to disable all versions below the lowest, and if possible, at least one version above the highest. Note that that TLS 1.2 is the highest supported in OpenSSL 1.0.x, and no higher versions will be added. So "<= TLS 1.2" is the same as not bounded above. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
