Bug 1300724

Description of problem:
Most of openssl-based programs use just SSLv23_method() in order to listen or connect using all supported protocols. When there is a requirement to limit the available protocols (e.g. as a response to vulnerability like BEAST or POODLE), the only way to do that is to rebuild all the affected apps (if they don't already have a mechanism to set SSL_CTX_set_min_proto_version() on their own).

It would be beneficial to have a mechanism for this in openssl proper that would expose SSL_CTX_set_min_proto_version() setting to the user, trough the openssl.cnf config file (or maybe through environment variable)


Version-Release number of selected component (if applicable):
RHEL 7.2 / openssl-1.0.1e-51.el7_2.2.x86_64

How reproducible:
always

Steps to Reproduce:
1. have a simple openssl-based server and client app using just SSL_CTX_new(SSLv23_methog())
2. enforce minimum protocol version without modifying app itself
3.

Actual results:
no way to achieve the result without application modification or application-specific setting mechanism

Expected results:
openssl has a common way to set minimum protocol

Additional info:
similar setting would be beneficial for cipher whitelist/blacklist