How to disable renegation before compiling openssl

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

How to disable renegation before compiling openssl

Mark Windshield
Hello,

I was wondering what I'd have to change in the openssl code/config before compiling to have renegation disabled by default, so it won't send the Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) when using curl.

Thanks!

Reply | Threaded
Open this post in threaded view
|

Re: How to disable renegation before compiling openssl

OpenSSL - User mailing list
On Tue, Apr 21, 2020 at 09:57:02PM +0200, Mark Windshield wrote:
> Hello,
>
> I was wondering what I'd have to change in the openssl code/config before
> compiling to have renegation disabled by default, so it won't send the
> Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) when using curl.

This description does not really make it clear whether you just want to prevent
renegotiation or specifically need this SCSV value to not be included in the
ClientHello -- the semantics of TLS_EMPTY_RENEGOTIATION_INFO_SCSV is "if
renegotiation occurs, the client supports the 'secure' variant", but is
otherwise orthogonal to whether renegotiation itself actually occurs.

-Ben
Reply | Threaded
Open this post in threaded view
|

Re: How to disable renegation before compiling openssl

Mark Windshield
Thanks for you reply Ben!

Sorry for being unclear, the goal would be to just not send the SCSV value in the ClientHello.

-Mark

Am Di., 21. Apr. 2020 um 22:06 Uhr schrieb Benjamin Kaduk <[hidden email]>:
On Tue, Apr 21, 2020 at 09:57:02PM +0200, Mark Windshield wrote:
> Hello,
>
> I was wondering what I'd have to change in the openssl code/config before
> compiling to have renegation disabled by default, so it won't send the
> Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) when using curl.

This description does not really make it clear whether you just want to prevent
renegotiation or specifically need this SCSV value to not be included in the
ClientHello -- the semantics of TLS_EMPTY_RENEGOTIATION_INFO_SCSV is "if
renegotiation occurs, the client supports the 'secure' variant", but is
otherwise orthogonal to whether renegotiation itself actually occurs.

-Ben
Reply | Threaded
Open this post in threaded view
|

Re: How to disable renegation before compiling openssl

OpenSSL - User mailing list
  • Sorry for being unclear, the goal would be to just not send the SCSV value in the ClientHello.

 

Why?