gnutls-protocol-version<

gnutls-protocol-version<

[Robert Pluim]

Hi,

since in some cases nsm has to behave differently depending on what
version of TLS was negotiated for a connection, it needs to be
possible to compare TLS protocol versions. I was thinking of adding
something like:

    gnutls-protocol-version< is a built-in function in ‘C source code’.

    (gnutls-protocol-version< V1 V2)

    Return t if TLS protocol version V1 is lower than V2.

    V1 and V2 are TLS protocol version names in the form used by GnuTLS,
    e.g. "TLS1.3".

I donʼt think we need the '>' version, and for equality you can just
use 'string-equal'.

Thoughts?

Robert

Re: gnutls-protocol-version<

[Paul Eggert]

Robert Pluim wrote:

>      (gnutls-protocol-version< V1 V2)
> 
>      Return t if TLS protocol version V1 is lower than V2.

Alternatively you could get the TLS protocol version as a string, and use 
string-version-lessp; that might be simpler.

Re: gnutls-protocol-version<

[Robert Pluim]

>>>>> On Tue, 3 Sep 2019 06:02:45 -0700, Paul Eggert <eggert@cs.ucla.edu> said:

    Paul> Robert Pluim wrote:
    >> (gnutls-protocol-version< V1 V2)
    >> Return t if TLS protocol version V1 is lower than V2.

    Paul> Alternatively you could get the TLS protocol version as a
    Paul> string, and

Thatʼs already available via gnutls-peer-status

    Paul> use string-version-lessp; that might be simpler.

That works, although it does assume that TLS version strings won't do
anything silly in the future like change prefix (they have done in the
past from SSL -> TLS, but S<T so thatʼs OK).

One nit is this:

(string-version-lessp "TLS1.3" nil) => t

which is somewhat surprising, but doesnʼt matter for my use case.

Robert