Browse code

tls: more documentation about tls method values

- added notes about tls minimum versions

Daniel-Constantin Mierla authored on 02/01/2015 10:21:39
Showing 1 changed files
... ...
@@ -25,6 +25,12 @@
25 25
 				(available starting with openssl/libssl v1.0.1e)
26 26
 				</para>
27 27
 			</listitem>
28
+			<listitem>
29
+				<para>
30
+				<emphasis>TLSv1.1+</emphasis> - TLSv1.1 or newer (TLSv1.2, ...)
31
+				connections are accepted (available starting with openssl/libssl v1.0.1)
32
+				</para>
33
+			</listitem>
28 34
 			<listitem>
29 35
 				<para>
30 36
 				<emphasis>TLSv1.1</emphasis> - only TLSv1.1 connections are accepted
... ...
@@ -33,8 +39,14 @@
33 39
 			</listitem>
34 40
 			<listitem>
35 41
 				<para>
36
-				<emphasis>TLSv1</emphasis> - only TLSv1 connections are accepted.
37
-				This is the default value.
42
+				<emphasis>TLSv1+</emphasis> - TLSv1.0 or newer (TLSv1.1, TLSv1.2, ...)
43
+				connections are accepted.
44
+				</para>
45
+			</listitem>
46
+			<listitem>
47
+				<para>
48
+				<emphasis>TLSv1</emphasis> - only TLSv1 (TLSv1.0) connections are
49
+				accepted. This is the default value.
38 50
 				</para>
39 51
 			</listitem>
40 52
 			<listitem>
... ...
@@ -52,17 +64,30 @@
52 64
 			</listitem>
53 65
 			<listitem>
54 66
 				<para>
55
-				<emphasis>SSLv23</emphasis> - any of the SSLv2, SSLv3 and TLSv1 methods
56
-				will be accepted, with the following limitation: the initial SSL hello
57
-				message must be V2 (in the initial hello all the supported protocols
58
-				are advertised enabling switching to a higher and more secure version).
59
-				This means connections from SSLv3 or TLSv1 clients will be accepted.
60
-				Note: you shouldn't use SSLv2 or SSLv3 for anything which should be highly secure.
67
+				<emphasis>SSLv23</emphasis> - any of the SSLv2, SSLv3 and TLSv1 or
68
+				newer methods will be accepted.
69
+				</para>
70
+				<para>
71
+				From OpenSSL manual: "A TLS/SSL connection established with these
72
+				methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
73
+				If extensions are required (for example server name) a client will
74
+				send out TLSv1 client hello messages including extensions and will
75
+				indicate that it also understands TLSv1.1, TLSv1.2 and permits a
76
+				fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1
77
+				and TLSv1.2 protocols. This is the best choice when compatibility
78
+				is a concern."
79
+				</para>
80
+				<para>
81
+				Note: For older libssl version, this option allows SSLv2, with hello
82
+				messages done over SSLv2. You shouldn't use SSLv2 or SSLv3 for anything
83
+				which should be highly secure.
61 84
 				</para>
62 85
 			</listitem>
63 86
 	</itemizedlist>
64 87
 	<para>
65
-		If rfc3261 conformance is desired,  TLSv1 must be used. For compatibility with older clients SSLv23 is a good option.
88
+		If rfc3261 conformance is desired, at least TLSv1 must be used. For
89
+		compatibility with older clients SSLv23 is the option, but again, be aware
90
+		of security concerns, SSLv2/3 being considered very insecure by 2014.
66 91
 	</para>
67 92
 	<example>
68 93
 	    <title>Set <varname>tls_method</varname> parameter</title>