On 2017-01-12 18:16, Wes Turner wrote:
- Do these need a __cmp__()? - Are there concrete-implementation-specific const constants for each library?
Why would you need to compare these? The TLS API will merely provide generic constants. Every implementation of the unified TLS API needs to map the constants somehow. I assume that TLSVersion enum is going to have a human readable name and a machine readable constants, preferable the wire protocol constant. https://bugs.python.org/issue27876 is just a PoC for OpenSSL and Python's ssl module.
The Apache HTTPD `SSLProtocol` and Nginx `ssl_protocols` options support different methods of whitelisting and blacklisting.
https://mozilla.github.io/server-side-tls/ssl-config-generator/ modern (2017):
- SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 - ssl_protocols TLSv1.2;
Nit picking mode: Apache HTTPD does not have a SSLProtocol option. mod_ssl implements the SSLProtocol option. Other TLS libraries for Apache (mod_nss) have different options, though. Some TLS libraries only support min and max TLS version, not version picking like OpenSSL. It doesn't make much sense to support TLS 1.0 and 1.2 but disallow TLS 1.1, too. A version range with secure default settings is both the simplest and most generic approach. Christian