config file options for disabling use of TLS versions
lighttpd currently has the options ssl.use-sslv2 and ssl.use-sslv3 to control the use of SSL versions but there are no options to control the use of TLS versions. IMO adding more options in the same manner seems like a poor way of doing things. It would be better to add a new option that can control all current versions of SSL (v2 / v3) and TLS (1 / 1.1 / 1.2) and be future proof for TLS1.3 and so on.
Updated by firstname.lastname@example.org over 7 years ago
tell the openssl guys to support version selection through the cipher string - that is the only way it can be really future proof.
Every other web server, SMTP server, proxy and so on has options for controlling this behavior except for lighttpd.
Updated by gstrauss almost 5 years ago
FYI: in the not-yet-released openssl 1.1.0: SSL_CONF_cmd https://www.openssl.org/docs/man1.1.0/ssl/SSL_CONF_cmd.html
Also available in: Atom