From Y.Weweler at insiders-technologies.de Tue Jan 2 13:27:26 2024 From: Y.Weweler at insiders-technologies.de (Weweler, Yves-Noel) Date: Tue, 2 Jan 2024 13:27:26 +0000 Subject: [omniORB-dev] Feature Proposal: Support selecting the TLS protocol version In-Reply-To: <1b25bffcebfd47fcac5ab49f3c0ab165@insiders-technologies.de> References: <1b25bffcebfd47fcac5ab49f3c0ab165@insiders-technologies.de> Message-ID: <7da9c9a15c5d43f78c35d9121d3db830@insiders-technologies.de> Hi, We have certain requirements that force us to ensure that we can force specific TLS protocol versions. First I tried doing this using an openssl configuration file. However, I noticed that within src/lib/omniORB/orbcore/ssl/sslContext.cc the TLS version configuration is overwritten. ``` void sslContext::set_supported_versions() { SSL_CTX_set_options(pd_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); } ``` Do you have any suggestions on how to force specific protocol versions? Alternatively, I would like to propose that we add additional configuration to omniorb that behaves similar to `cipher_list`. Essentially, I would like to be able to set the protocol version using the orb specific configurations as well as using the python interface. According to the openssl wiki setting the version using options is deprecated. Hence, I suggest we adopt the min and max approach of configuration. * https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags These options are deprecated as of 1.1.0, use SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() instead. Sadly, my understanding of the omniorb codebase is rather limited at the moment, hence writing appropriate tests and getting all locations correct is currently out of reach for me. Nevertheless, I prepared a small patch as a sketch for my proposal. (I never compiled it and it does not yet cover Python. Just to show my idea!) Do you think that my approach is worth implementing? Best regards, Yves-Noel Weweler -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: tls_version_selection_draft.patch Type: application/octet-stream Size: 10456 bytes Desc: tls_version_selection_draft.patch URL: