fix(net): switch to Tlsv1_2 for default ssl method #482
Conversation
|
This was actually using However, I recently merged in #479, which allows you to create a (side note: I'd consider a change like this to be |
|
I guess the server communicating with rejected anything less than [https://github.com/sfackler/rust-openssl/blob/master/openssl/src/ssl/mod.rs#L99]. I say the other pull but it looked like it only addressed the server side of the issue. The client side connectors still have the ssl method used hard coded :/ |
|
Oh, I see. This also affects If we make this change, does this mean the Client no longer works (by default) against servers that only use SSL instead of TLS? |
|
Yea thinking about making this backwards compatible would probably involve some additional interfaces that allow you to specify which ssl method to use, this may help answer your question. I'm open to help take that on. I imaging it would be similar to the change to http listeners translated for network connectors |
|
going to close this in favor of a more flexible solution for NetworkConnectors in the future. |
This change substitutes the previous insecure default ssl method with a more secure default. Without this I was blocked writing a client interface for a secure server supporting the more secure tls method and there wasn't a way I could find to provide the ssl method used but the client.
A more thorough changeset would probably involve something like adding a new ssl provider interface to then network connector and network listener interfaces that allow's for user defined ssl contexts, but I think that would be a breaking change. This was a much smaller change, makes the defaults more secure, and shouldn't be a breaking change, so I went with this instead.