OpenSSL version 3.0.0 and above not reported while 'Modern' is selected as 'Mozilla configuration'

[Ricky-Tigg]

Hello. Libraries of OpenSSL version 3.0.0 and above, represent the modern code of OpenSSL while versions previous OpenSSL version 3.0.0, which are 1.0.0 and above, represent the old and still supported code of OpenSSL. Although this is so, while Modern is selected as Mozilla configuration, the reported server-sided OpenSSL version represents the latter, which is incorrect, instead of the correct version, which is represented by the former.

[gene1wood]

@Ricky-Tigg Could you explain this a bit more. I'm not following which thing is the "former" and which the "latter". And when you say "Although this is so" which part of your previous sentence are you referring to?

[Ricky-Tigg]

For each software option selected version 1.1.1k of OpenSSL is reported instead of 3.0.5. Illustration with a relevant output:

• apache 1.17.7, modern config, OpenSSL 1.1.1k
• Supports Firefox 63, Android 10.0, Chrome 70, Edge 75, Java 11, OpenSSL 1.1.1, Opera 57, and Safari 12.1
• # unfortunately, Apache 1.17.7 and OpenSSL 1.1.1k does not support the modern configuration

Web browser currently in use: Firefox beta, v. 105, not v. 63.

Software current versions:

• Apache HTTP Server: 2.4.54
• OpenSSL: 3.0.5 (modern branch)

[gene1wood]

@Ricky-Tigg Thanks for the added detail.

I'm still having trouble understanding you.

Let's try this, could you describe

1. What the steps your following to trigger the issue
2. What output you'd expect to get and why
3. What output you're actually getting

I have one idea about what you're asking but I'm not sure. Is it possible that the input field for OpenSSL version, you're reading as an output field?

[Ricky-Tigg]

Well, please correct me when i am wrong.

• Starting state | nginx as server software, intermediate as Mozilla configuration. Environment values proposed by default by the tool, hence not by me: server v. 1.17.7, OpenSSL v. 1.1.1k. Do you agree with that?
• Changes made | apache as server software, modern as Mozilla configuration. Environment versions proposed by default by the tool, hence not by me: server v. 2.4.41, OpenSSL v. 1.1.1k. Hence OpenSSL version is unchanged, not updated to v. 3.0.5. Do you agree with that?

Now we may consider to ask ourselves, might there be a developer among this team for who that last observation, thus the non-updating of the OpenSSL version accordingly, does illustrate an intended behavior thus an operational feature. I asked myself and concluded to an issue.

[gene1wood]

Ahh got it. Yes your starting state and changed state sound correct.

Indeed, the OpenSSL version field is meant to be an input that the user uses to indicate the version of OpenSSL that's running on their server (just like they indicate the version of the web server that they're running).

Everything at the top of the page, Server Software, Mozilla Configuration, Environment and Miscellaneous are all inputs that the user can modify

Everything at the bottom of the page, the resulting config file is the output.

Maybe there's a UI change we could make to make it more clear that the top of the page is the input and the bottom of the page is output.

Do you have any suggestions on how to make it clear that the web server version and openssl version are inputs not outputs?

[Ricky-Tigg]

These details were a revelation to me. Thanks to them i can at last consider this tool as a highly useful. Then that was that default behaviour, for instance the auto-filling of version values as inputs, that surprised me. Hence i could reasonably conclude that it was designed that way; with no ability for user to choose the inputs. That's good news for me to discover that user as well has that ability. I would not consider improving this tool despite it may in the future keep on confusing new users that are not yet aware of its true nature. I guess they will be glad to adapt themselves like i am doing now.