The protocol and security level that libopenssl uses.
Best practice: Leave this at the default of Sslv23
to allow negotiation, and use an
option list (Opt.t list
) when calling Ssl.server
or Ssl.client
to disable
undesired versions of SSL/TLS. See opt.mli for more details.
The current defaults for Version
and Opt
will enable only TLSv1.2.
Sslv23
allows negotiation, whereas the other options limit the connection to a
single protocol version. See SSL_CTX_new(3) for more details. (If you are on CentOS
6, you should probably use https://www.openssl.org/docs/man1.0.1/ssl/SSL_CTX_new.html
instead of the system manual pages--they appear out-of-date.)
SSLv2
was banned by RFC 6176 which contains a dire list of its shortcomings.
Older versions of OpenSSL do not support Tlsv1_1 and Tlsv1_2. You will be able to link with such a version, but will get an error about an undefined symbol at runtime if you try using the unsupported version.
val default : t