Ssl.disable_protocols disables too many

[thomassa]

For a client context created with all protocols permitted, if I try to disable just SSLv23 and TLSv1_1, then I find it cannot make a connection to a server that accepts only TLSv1_2.

Here's the essence of the change I made (in a program using the Ssl module) to work around the problem: https://github.com/thomassa/xapi-xe/commit/1dc849464ca56629c63467f25b7d14f0695a4353?diff=unified

   let ctx =
     (* Here SSLv23 means ALL protocols *)
     Ssl.create_context
       Ssl.SSLv23
       Ssl.Client_context
   in
-  (* Disable SSL v2 and v3, and TLSv1.1, leaving only TLSv1.0 and TLSv1.2 *)
-  Ssl.disable_protocols ctx [Ssl.SSLv23; Ssl.TLSv1_1];
+  (* Disable SSL v2 and v3, leaving only TLSv1.0 and TLSv1.1 and TLSv1.2 *)
+  (* We don't need 1.1, but if we add it to the list then 1.2 gets disabled
+   * too: a bug in the Ssl module v0.5.2 (or the libssl it is using) *)
+  Ssl.disable_protocols ctx [Ssl.SSLv23];

This is on Ubuntu with openssl package version 1.0.1f-1ubuntu2.15

[thomassa]

Looking at the ocaml-ssl source code, I think the problem probably comes from elsewhere: some code that ocaml-ssl uses.

[craff]

Could you tell us if this issue is still there and if it is provide an example to reproduce the problem ?

[anmonteiro]

This is not relevant anymore, especially after #121. Ssl.create_context TLSv1_2 creates a TLSv1.2-only context.

In addition, I'm about to open a PR adding bindings to SSL_CTX_set_{min,max}_proto_version.