Hi,
I just created a PR [1] to add two new options for ssl/tls streams:
- min_proto_version
- max_proto_version
that can be set to one of the new constants:
- STREAM_CRYPTO_PROTO_SSLv3
- STREAM_CRYPTO_PROTO_TLSv1_0
- STREAM_CRYPTO_PROTO_TLSv1_1
- STREAM_CRYPTO_PROTO_TLSv1_2
It is basically a range setting which is kind based on the new OpenSSL way
to set protocol versions [2]. The main purpose is to have a better
alternative to crypto_metod that disallows protocol holes in a more obvious
way.
In addition the crypto_method is changed to prevent protocol holes and
fills missing protocol automatically. More info in the PR.
The PR is also pre-step for TLS 1.3 support as it cleans up a protocol
version selection and removes some deprecated bits when using OpenSSL 1.1.
If there are no objection, I would like to merge it sometimes next week!
[1] https://github.com/php/php-src/pull/3317
[2]
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_min_proto_version.html
Thanks
Jakub