tree 15a337b9b3595c67bfc81839d03a460abd37d0ff
parent 5db33cbdc4f2952cbd3c140edce0eda84e1447b4
author Emmanuel Hocdet <manu@gandi.net> 1490894707 +0200
committer Willy Tarreau <w@1wt.eu> 1494596944 +0200
encoding latin1

MEDIUM: ssl: calculate the real min/max TLS version and find holes

Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx.
Find the real min/max versions (openssl capabilities and haproxy configuration)
and generate warning with bad versions range.
'no-tlsxx' can generate 'holes':
"The list of protocols available can be further limited using the SSL_OP_NO_X
options of the SSL_CTX_set_options or SSL_set_options functions. Clients should
avoid creating 'holes' in the set of protocols they support, when disabling a
protocol, make sure that you also disable either all previous or all subsequent
protocol versions. In clients, when a protocol version is disabled without
disabling all previous protocol versions, the effect is to also disable all
subsequent protocol versions."
To not break compatibility, "holes" is authorized with warning, because openssl
1.1.0 and boringssl deal with it (keep the upper or lower range depending the
case and version).