boringssl

History

David Benjamin b6a0a518a3 Simplify version configuration. OpenSSL's SSL_OP_NO_* flags allow discontinuous version ranges. This is a nuisance for two reasons. First it makes it unnecessarily difficult to answer "are any versions below TLS 1.3 enabled?". Second the protocol does not allow discontinuous version ranges on the client anyway. OpenSSL instead picks the first continous range of enabled versions on the client, but not the server. This is bizarrely inconsistent. It also doesn't quite do this as the ClientHello sending logic does this, but not the ServerHello processing logic. So we actually break some invariants slightly. The logic is also cumbersome in DTLS which kindly inverts the comparison logic. First, switch min_version/max_version's storage to normalized versions. Next replace all the ad-hoc version-related functions with a single ssl_get_version_range function. Client and server now consistently pick a contiguous range of versions. Note this is a slight behavior change for servers. Version-range-sensitive logic is rewritten to use this new function. BUG=66 Change-Id: Iad0d64f2b7a917603fc7da54c9fc6656c5fbdb24 Reviewed-on: https://boringssl-review.googlesource.com/8513 Reviewed-by: David Benjamin <davidben@google.com>	2016-06-30 21:56:01 +00:00
..
openssl	Simplify version configuration.	2016-06-30 21:56:01 +00:00

David Benjamin b6a0a518a3 Simplify version configuration.

OpenSSL's SSL_OP_NO_* flags allow discontinuous version ranges. This is a
nuisance for two reasons. First it makes it unnecessarily difficult to answer
"are any versions below TLS 1.3 enabled?". Second the protocol does not allow
discontinuous version ranges on the client anyway. OpenSSL instead picks the
first continous range of enabled versions on the client, but not the server.

This is bizarrely inconsistent. It also doesn't quite do this as the
ClientHello sending logic does this, but not the ServerHello processing logic.
So we actually break some invariants slightly. The logic is also cumbersome in
DTLS which kindly inverts the comparison logic.

First, switch min_version/max_version's storage to normalized versions. Next
replace all the ad-hoc version-related functions with a single
ssl_get_version_range function. Client and server now consistently pick a
contiguous range of versions. Note this is a slight behavior change for
servers. Version-range-sensitive logic is rewritten to use this new function.

BUG=66

Change-Id: Iad0d64f2b7a917603fc7da54c9fc6656c5fbdb24
Reviewed-on: https://boringssl-review.googlesource.com/8513
Reviewed-by: David Benjamin <davidben@google.com>

2016-06-30 21:56:01 +00:00

openssl

Simplify version configuration.

2016-06-30 21:56:01 +00:00