On Oct 16, 2014, at 7:26 PM, Jacques Distler <distler@golem.ph.utexas.edu> wrote:
I was confused by this, too. According to
https://www.openssl.org/docs/ssl/SSL_CTX_new.html <https://www.openssl.org/docs/ssl/SSL_CTX_new.html>
SSLv23_method is a catch-all, allowing connections using SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. You can then exclude particular protocols using, e.g.,
SSL_OP_NO_TLSv1_1
to exclude TLSv1.1 (while still allowing the others).
By contrast, TLSv1_method (or SSLv3_method) allows only connections using that particular protocol (respectively TLSv1 and SSLv3).
That may be OK. All (or almost all) clients speak TLSv1. But it would be preferable to allow them to negotiate a TLSv1.2 connection if possible.
For what it's worth, this is the highly bizarre way that OpenSSL requires you to specify your protocol version requirements. In TLS itself, there's no such thing as a "method", just a protocol version. You're absolutely right that SSLv23_METHOD has nothing to do with SSLv2 or SSLv3 and just means "negotiate a protocol version out of an allowable set". In a future version of Twisted there will be the ability to specify minimum protocol version and excluded protocol version arguments, and SSLv23_METHOD should hopefully fade away and disappear into an internal implementation detail somewhere inside Twisted's TLS layer... -glyph