Allow hardcoding of min/max minor/major SSL version at compile-time

This commit introduces the numeric compile-time constants

- MBEDTLS_SSL_CONF_MIN_MINOR_VER
- MBEDTLS_SSL_CONF_MAX_MINOR_VER
- MBEDTLS_SSL_CONF_MIN_MAJOR_VER
- MBEDTLS_SSL_CONF_MAX_MAJOR_VER

which, when defined, overwrite the runtime configurable fields
mbedtls_ssl_config::min_major_ver etc. in the SSL configuration.

As for the preceding case of the ExtendedMasterSecret configuration,
it also introduces and puts to use getter functions for these variables
which evaluate to either a field access or the macro value, maintaining
readability of the code.

The runtime configuration API mbedtls_ssl_conf_{min|max}_version()
is kept for now but has no effect if MBEDTLS_SSL_CONF_XXX are set.
This is likely to be changed in a later commit but deliberately omitted
for now, in order to be able to study code-size benefits earlier in the
process.

configs/baremetal.h

@@ -100,6 +100,10 @@
 #define MBEDTLS_SSL_CONF_SEND mbedtls_net_send
 #define MBEDTLS_SSL_CONF_RECV_TIMEOUT mbedtls_net_recv_timeout
 #define MBEDTLS_SSL_CONF_RNG mbedtls_hmac_drbg_random
+#define MBEDTLS_SSL_CONF_MIN_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3
+#define MBEDTLS_SSL_CONF_MAX_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3
+#define MBEDTLS_SSL_CONF_MIN_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3
+#define MBEDTLS_SSL_CONF_MAX_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3
 #define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET \
     MBEDTLS_SSL_EXTENDED_MS_ENABLED
 #define MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET \

include/mbedtls/config.h

@@ -3636,6 +3636,12 @@
  */
 //#define MBEDTLS_SSL_CONF_RNG mbedtls_ctr_drbg_random
 
+/* TLS version */
+//#define MBEDTLS_SSL_CONF_MIN_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3
+//#define MBEDTLS_SSL_CONF_MAX_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3
+//#define MBEDTLS_SSL_CONF_MIN_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3
+//#define MBEDTLS_SSL_CONF_MAX_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3
+
 /* ExtendedMasterSecret extension
  * The following two options must be set/unset simultaneously. */
 //#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENABLED

include/mbedtls/ssl.h

@@ -1132,10 +1132,18 @@ struct mbedtls_ssl_config
     unsigned int dhm_min_bitlen;    /*!< min. bit length of the DHM prime   */
 #endif
 
+#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
     unsigned char max_major_ver;    /*!< max. major version used            */
+#endif /* !MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
     unsigned char max_minor_ver;    /*!< max. minor version used            */
+#endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
     unsigned char min_major_ver;    /*!< min. major version used            */
+#endif /* !MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
     unsigned char min_minor_ver;    /*!< min. minor version used            */
+#endif /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
 
     /*
      * Flags (bitfields)

include/mbedtls/ssl_internal.h

@@ -1423,6 +1423,50 @@ static inline mbedtls_frng_t* mbedtls_ssl_conf_get_frng(
 }
 #endif /* MBEDTLS_SSL_CONF_RNG */
 
+static inline int mbedtls_ssl_conf_get_max_major_ver(
+    mbedtls_ssl_config const *conf )
+{
+#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
+    return( conf->max_major_ver );
+#else
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_MAX_MAJOR_VER );
+#endif /* MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
+}
+
+static inline int mbedtls_ssl_conf_get_min_major_ver(
+    mbedtls_ssl_config const *conf )
+{
+#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
+    return( conf->min_major_ver );
+#else /* !MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_MIN_MAJOR_VER );
+#endif /* MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+}
+
+static inline int mbedtls_ssl_conf_get_max_minor_ver(
+    mbedtls_ssl_config const *conf )
+{
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
+    return( conf->max_minor_ver );
+#else /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_MAX_MINOR_VER );
+#endif /* MBEDTLS_SSL_CONF_MAX_MINOR_VER */
+}
+
+static inline int mbedtls_ssl_conf_get_min_minor_ver(
+    mbedtls_ssl_config const *conf )
+{
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
+    return( conf->min_minor_ver );
+#else /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_MIN_MINOR_VER );
+#endif /* MBEDTLS_SSL_CONF_MIN_MINOR_VER */
+}
+
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
 static inline unsigned int mbedtls_ssl_conf_get_ems(
     mbedtls_ssl_config const *conf )

library/ssl_cli.c

@@ -180,8 +180,11 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
 
     *olen = 0;
 
-    if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+    if( mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) !=
+        MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
         return;
+    }
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
 
@@ -558,7 +561,8 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
     *olen = 0;
 
     if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
-        ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ==
+          MBEDTLS_SSL_MINOR_VERSION_0 )
     {
         return;
     }
@@ -593,7 +597,8 @@ static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
 
     if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
           MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
-        ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ==
+          MBEDTLS_SSL_MINOR_VERSION_0 )
     {
         return;
     }
@@ -788,7 +793,6 @@ static int ssl_validate_ciphersuite( mbedtls_ssl_ciphersuite_handle_t suite_info
     if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
         return( 1 );
 
-
     if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > max_minor_ver ||
         mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < min_minor_ver )
     {
@@ -846,11 +850,11 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
 
     if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE )
     {
-        ssl->major_ver = ssl->conf->min_major_ver;
+        ssl->major_ver = mbedtls_ssl_conf_get_min_major_ver( ssl->conf );
-        ssl->minor_ver = ssl->conf->min_minor_ver;
+        ssl->minor_ver = mbedtls_ssl_conf_get_min_minor_ver( ssl->conf );
     }
 
-    if( ssl->conf->max_major_ver == 0 )
+    if( mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) == 0 )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
                             "consider using mbedtls_ssl_config_defaults()" ) );
@@ -867,7 +871,8 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
     buf = ssl->out_msg;
     p = buf + 4;
 
-    mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
+    mbedtls_ssl_write_version( mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
+                               mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ),
                                ssl->conf->transport, p );
     p += 2;
 
@@ -981,8 +986,8 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
                                             ciphersuite_info )
     {
         if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
-                                      ssl->conf->min_minor_ver,
+                       mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
-                                      ssl->conf->max_minor_ver ) != 0 )
+                       mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) != 0 )
         {
             continue;
         }
@@ -1563,8 +1568,8 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
      */
     if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
         minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
-        major_ver > ssl->conf->max_major_ver  ||
+        major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf )  ||
-        minor_ver > ssl->conf->max_minor_ver  )
+        minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf )  )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
 
@@ -1715,16 +1720,18 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
     mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
                       ssl->conf->transport, buf + 0 );
 
-    if( ssl->major_ver < ssl->conf->min_major_ver ||
+    if( ssl->major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ||
-        ssl->minor_ver < ssl->conf->min_minor_ver ||
+        ssl->minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ||
-        ssl->major_ver > ssl->conf->max_major_ver ||
+        ssl->major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ||
-        ssl->minor_ver > ssl->conf->max_minor_ver )
+        ssl->minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
                             " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
-                            ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
+                            mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
+                            mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
                             ssl->major_ver, ssl->minor_ver,
-                            ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
+                            mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
+                            mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) );
 
         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
                                      MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
@@ -1886,8 +1893,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
                                             ciphersuite_info )
     {
         if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
-                                      ssl->conf->min_minor_ver,
+                mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
-                                      ssl->conf->max_minor_ver ) != 0 )
+                mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) != 0 )
         {
             continue;
         }
@@ -2360,7 +2367,8 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
      *      opaque random[46];
      *  } PreMasterSecret;
      */
-    mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
+    mbedtls_ssl_write_version( mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
+                               mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ),
                                ssl->conf->transport, p );
 
     if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )

library/ssl_srv.c

@@ -1090,15 +1090,17 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
     }
 
     ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
-    ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
+    ssl->minor_ver =
-                     ? buf[4]  : ssl->conf->max_minor_ver;
+        ( buf[4] <= mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
+        ? buf[4]  : mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
 
-    if( ssl->minor_ver < ssl->conf->min_minor_ver )
+    if( ssl->minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
                             " [%d:%d] < [%d:%d]",
                             ssl->major_ver, ssl->minor_ver,
-                            ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
+                            mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
+                            mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) );
 
         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
                                      MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
@@ -1213,7 +1215,8 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
         {
             MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
 
-            if( ssl->minor_ver < ssl->conf->max_minor_ver )
+            if( ssl->minor_ver <
+                mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
 
@@ -1624,25 +1627,26 @@ read_record_header:
     ssl->handshake->max_major_ver = ssl->major_ver;
     ssl->handshake->max_minor_ver = ssl->minor_ver;
 
-    if( ssl->major_ver < ssl->conf->min_major_ver ||
+    if( ssl->major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ||
-        ssl->minor_ver < ssl->conf->min_minor_ver )
+        ssl->minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
                             " [%d:%d] < [%d:%d]",
                             ssl->major_ver, ssl->minor_ver,
-                            ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
+                            mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
+                            mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) );
         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
                                      MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
         return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
     }
 
-    if( ssl->major_ver > ssl->conf->max_major_ver )
+    if( ssl->major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) )
     {
-        ssl->major_ver = ssl->conf->max_major_ver;
+        ssl->major_ver = mbedtls_ssl_conf_get_max_major_ver( ssl->conf );
-        ssl->minor_ver = ssl->conf->max_minor_ver;
+        ssl->minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
     }
-    else if( ssl->minor_ver > ssl->conf->max_minor_ver )
+    else if( ssl->minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
-        ssl->minor_ver = ssl->conf->max_minor_ver;
+        ssl->minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
 
     /*
      * Save client random (inc. Unix time)
@@ -2019,7 +2023,8 @@ read_record_header:
         {
             MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
 
-            if( ssl->minor_ver < ssl->conf->max_minor_ver )
+            if( ssl->minor_ver <
+                mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
 

library/ssl_tls.c

@@ -4705,7 +4705,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
     }
 
-    if( minor_ver > ssl->conf->max_minor_ver )
+    if( minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@@ -8717,14 +8717,42 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
 
 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
 {
+#if defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) && \
+    defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
+    ((void) conf);
+#endif
+
+#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
     conf->max_major_ver = major;
+#else
+    ((void) major);
+#endif /* MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
+
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
     conf->max_minor_ver = minor;
+#else
+    ((void) minor);
+#endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
 }
 
 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
 {
+#if defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) && \
+    defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
+    ((void) conf);
+#endif
+
+#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
     conf->min_major_ver = major;
+#else
+    ((void) major);
+#endif /* MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
     conf->min_minor_ver = minor;
+#else
+    ((void) minor);
+#endif /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
 }
 
 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
@@ -10961,10 +10989,18 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
          * NSA Suite B
          */
         case MBEDTLS_SSL_PRESET_SUITEB:
+#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
             conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
+#endif /* !MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
             conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
+#endif /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
             conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
             conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
 
 #if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
             conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
@@ -10991,21 +11027,28 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
          * Default
          */
         default:
+#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
             conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
                                     MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
                                     MBEDTLS_SSL_MIN_MAJOR_VERSION :
                                     MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
             conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
                                     MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
                                     MBEDTLS_SSL_MIN_MINOR_VERSION :
                                     MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
-            conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
-            conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
-
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
             if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
                 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
 #endif
+#endif /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
+            conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
+            conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+#endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
 
 #if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
             conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =