On 03/10/2022 18:08, Jeremy Harris via Exim-users wrote:
> Could the min/max protocol stuff mentioned in
> https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
> be affecting it?
> Exim has no SSL_CONF_* calls currently; probably never has in it's
> history.
Bingo. The value given by SSL_CTX_get_max_proto_version()
is TLS1_2_VERSION.
If I slam a SSL_CTX_set_max_proto_version() call for SSL_v3
in right before twiddling the option bits, all is good.
I conclude:
- the limit value is kept separate from the bitfield
setting the same essential information, in the library
- this is a poor choice
- any application written before those limit value APIs
were introduced and which did it's own bit-setting
(as documented) configuration for TLS versions,
will be broken in the same way. Back-compatibility?
What does that mean?
- the *lack* of documentation that the limit value
overrides the bitfield, having made the choice
to keep them separate is... words fail me.
--
Cheers,
Jeremy