Hi

On 2021/08/10 17:26, Fabian Mauchle wrote:
Indeed the code does unconditionally set the min version (and thus ignores the system config), and also the max version (to 'any' if not configured).
Instead of just documenting this, I would rise the question if this is rather a bug that should be fixed? (i.e. use the system defaults if not set in the radsecproxy config, or from a code perspective, don’t call SSL_CTX_set_min_proto_version() if not configured in radsecproxy)

Sure, that would be my preference since it would be backwards compatible. However given it was done explicitly, I'd assumed it was an intentional attempt to raise security (hence documenting rather than reverting).

Regards,

- Guy
--