Browse code

tls: refreshed the README

Daniel-Constantin Mierla authored on 02/01/2015 10:22:21
Showing 1 changed files
... ...
@@ -504,25 +504,37 @@ Revoking a certificate and using a CRL
504 504
    Sets the SSL/TLS protocol method. Possible values are:
505 505
      * TLSv1.2 - only TLSv1.2 connections are accepted (available starting
506 506
        with openssl/libssl v1.0.1e)
507
+     * TLSv1.1+ - TLSv1.1 or newer (TLSv1.2, ...) connections are accepted
508
+       (available starting with openssl/libssl v1.0.1)
507 509
      * TLSv1.1 - only TLSv1.1 connections are accepted (available starting
508 510
        with openssl/libssl v1.0.1)
509
-     * TLSv1 - only TLSv1 connections are accepted. This is the default
510
-       value.
511
+     * TLSv1+ - TLSv1.0 or newer (TLSv1.1, TLSv1.2, ...) connections are
512
+       accepted.
513
+     * TLSv1 - only TLSv1 (TLSv1.0) connections are accepted. This is the
514
+       default value.
511 515
      * SSLv3 - only SSLv3 connections are accepted. Note: you shouldn't
512 516
        use SSLv3 for anything which should be highly secure.
513 517
      * SSLv2 - only SSLv2 connections, for old clients. Note: you
514 518
        shouldn't use SSLv2 for anything which should be highly secure.
515 519
        Newer versions of libssl don't include support for it anymore.
516
-     * SSLv23 - any of the SSLv2, SSLv3 and TLSv1 methods will be
517
-       accepted, with the following limitation: the initial SSL hello
518
-       message must be V2 (in the initial hello all the supported
519
-       protocols are advertised enabling switching to a higher and more
520
-       secure version). This means connections from SSLv3 or TLSv1 clients
521
-       will be accepted. Note: you shouldn't use SSLv2 or SSLv3 for
522
-       anything which should be highly secure.
523
-
524
-   If rfc3261 conformance is desired, TLSv1 must be used. For
525
-   compatibility with older clients SSLv23 is a good option.
520
+     * SSLv23 - any of the SSLv2, SSLv3 and TLSv1 or newer methods will be
521
+       accepted.
522
+       From OpenSSL manual: "A TLS/SSL connection established with these
523
+       methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2
524
+       protocols. If extensions are required (for example server name) a
525
+       client will send out TLSv1 client hello messages including
526
+       extensions and will indicate that it also understands TLSv1.1,
527
+       TLSv1.2 and permits a fallback to SSLv3. A server will support
528
+       SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. This is the best
529
+       choice when compatibility is a concern."
530
+       Note: For older libssl version, this option allows SSLv2, with
531
+       hello messages done over SSLv2. You shouldn't use SSLv2 or SSLv3
532
+       for anything which should be highly secure.
533
+
534
+   If rfc3261 conformance is desired, at least TLSv1 must be used. For
535
+   compatibility with older clients SSLv23 is the option, but again, be
536
+   aware of security concerns, SSLv2/3 being considered very insecure by
537
+   2014.
526 538
 
527 539
    Example 1.3. Set tls_method parameter
528 540
 ...