How to disable tls 1.0 and tls 1.1

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

How to disable tls 1.0 and tls 1.1

Chethan Kumar

Dear all,

 

Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while compiling openssl package.

I am using 1.0.2n openssl version and disabled SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2.

 

I also have a doubt on difference between -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2.

Can someone please explain the difference.

 

Thanks in advance,

Chethan Kumar

 

The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the
recipient and may contain privileged information. If you are not the intended recipient, please notify the
sender and delete the message along with any attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Software India Pvt. Ltd, for any loss or damage arising in any way from its use.

Reply | Threaded
Open this post in threaded view
|

RE: How to disable tls 1.0 and tls 1.1

Chethan Kumar

Adding to previous mail,

We tried -DSSL_OP_NO_TLSv1   -DSSL_OP_NO_TLSv1_1  along with disabling SSLv2 and v1 but still client hello is sent using min and max as TLS1.0 and TLS1.2.

 

Any idea what is wrong in our options and what should be used instead.?

 

Thanks in advance,

Chethan Kumar

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Chethan Kumar
Sent: Thursday, April 11, 2019 4:25 PM
To: [hidden email]
Subject: How to disable tls 1.0 and tls 1.1

 

Dear all,

 

Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while compiling openssl package.

I am using 1.0.2n openssl version and disabled SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2.

 

I also have a doubt on difference between -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2.

Can someone please explain the difference.

 

Thanks in advance,

Chethan Kumar

 

The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the
recipient and may contain privileged information. If you are not the intended recipient, please notify the
sender and delete the message along with any attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Software India Pvt. Ltd, for any loss or damage arising in any way from its use.

The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the
recipient and may contain privileged information. If you are not the intended recipient, please notify the
sender and delete the message along with any attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Software India Pvt. Ltd, for any loss or damage arising in any way from its use.

Reply | Threaded
Open this post in threaded view
|

Re: How to disable tls 1.0 and tls 1.1

Hubert Kario
On Thursday, 11 April 2019 15:25:51 CEST Chethan Kumar wrote:
> Adding to previous mail,
> We tried -DSSL_OP_NO_TLSv1   -DSSL_OP_NO_TLSv1_1  along with disabling SSLv2
> and v1 but still client hello is sent using min and max as TLS1.0 and
> TLS1.2.

there is no "min" version in Client Hello, the version in record layer is
irrelevant and used only for backwards compatibility *NOT* for negotiation

> Any idea what is wrong in our options and what should be used instead.?

compile an openssl server with TLS 1.1 enabled, run openssl s_server -tls1_1
to enable just TLS 1.1 and see if your production compile can connect

> Thanks in advance,
> Chethan Kumar
>
> From: openssl-users [mailto:[hidden email]] On Behalf Of
> Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM
> To: [hidden email]
> Subject: How to disable tls 1.0 and tls 1.1
>
> Dear all,
>
> Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while
> compiling openssl package. I am using 1.0.2n openssl version and disabled
> SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and
> -DOPENSSL_NO_SSL2.
>
> I also have a doubt on difference between -DSSL_OP_NO_SSLv2,
> -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please explain the
> difference.
>
> Thanks in advance,
> Chethan Kumar
>
>
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the recipient and may
> contain privileged information. If you are not the intended recipient,
> please notify the sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose, copy or otherwise
> use the information contained in the message or any annexure. Any views
> expressed in this e-mail are those of the individual sender except where
> the sender specifically states them to be the views of Toshiba Software
> India Pvt. Ltd. (TSIP),Bangalore.
> Although this transmission and any attachments are believed to be free of
> any virus or other defect that might affect any computer system into which
> it is received and opened, it is the responsibility of the recipient to
> ensure that it is virus free and no responsibility is accepted by Toshiba
> Software India Pvt. Ltd, for any loss or damage arising in any way from its
> use. The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the
> recipient and may contain privileged information.
> If you are not the intended recipient, please notify the
> sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose,
> copy or otherwise use the information contained in the
> message or any annexure. Any views expressed in this e-mail
> are those of the individual sender except where the sender
> specifically states them to be the views of
> Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
>
> Although this transmission and any attachments are believed to be
> free of any virus or other defect that might affect any computer
> system into which it is received and opened, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility
> is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: How to disable tls 1.0 and tls 1.1

Chethan Kumar
> there is no "min" version in Client Hello, the version in record layer is irrelevant and used only for backwards compatibility *NOT* for negotiation
Thank you for the information. But have a doubt, then what is the importance of SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() introduced in 1.1.X along with SSL_CTX_set_options().

I would like to know how to disable TLSv1.0 and 1.1 using configure option[CONFOPTS] in Makefile.

Thanks in advance,
Chethan Kumar


-----Original Message-----
From: Hubert Kario [mailto:[hidden email]]
Sent: Thursday, April 11, 2019 7:08 PM
To: [hidden email]
Cc: Chethan Kumar <[hidden email]>
Subject: Re: How to disable tls 1.0 and tls 1.1

On Thursday, 11 April 2019 15:25:51 CEST Chethan Kumar wrote:
> Adding to previous mail,
> We tried -DSSL_OP_NO_TLSv1   -DSSL_OP_NO_TLSv1_1  along with disabling SSLv2
> and v1 but still client hello is sent using min and max as TLS1.0 and
> TLS1.2.

there is no "min" version in Client Hello, the version in record layer is irrelevant and used only for backwards compatibility *NOT* for negotiation

> Any idea what is wrong in our options and what should be used instead.?

compile an openssl server with TLS 1.1 enabled, run openssl s_server -tls1_1 to enable just TLS 1.1 and see if your production compile can connect

> Thanks in advance,
> Chethan Kumar
>
> From: openssl-users [mailto:[hidden email]] On
> Behalf Of Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM
> To: [hidden email]
> Subject: How to disable tls 1.0 and tls 1.1
>
> Dear all,
>
> Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while
> compiling openssl package. I am using 1.0.2n openssl version and
> disabled
> SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and
> -DOPENSSL_NO_SSL2.
>
> I also have a doubt on difference between -DSSL_OP_NO_SSLv2,
> -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please explain
> the difference.
>
> Thanks in advance,
> Chethan Kumar
>
>
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the recipient and
> may contain privileged information. If you are not the intended
> recipient, please notify the sender and delete the message along with
> any attachments/annexure/appendices. You should not disclose, copy or
> otherwise use the information contained in the message or any
> annexure. Any views expressed in this e-mail are those of the
> individual sender except where the sender specifically states them to
> be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> Although this transmission and any attachments are believed to be free
> of any virus or other defect that might affect any computer system
> into which it is received and opened, it is the responsibility of the
> recipient to ensure that it is virus free and no responsibility is
> accepted by Toshiba Software India Pvt. Ltd, for any loss or damage
> arising in any way from its use. The information contained in this
> e-mail message and in any attachments/annexure/appendices is
> confidential to the recipient and may contain privileged information.
> If you are not the intended recipient, please notify the sender and
> delete the message along with any attachments/annexure/appendices. You
> should not disclose, copy or otherwise use the information contained
> in the message or any annexure. Any views expressed in this e-mail are
> those of the individual sender except where the sender specifically
> states them to be the views of Toshiba Software India Pvt. Ltd.
> (TSIP),Bangalore.
>
> Although this transmission and any attachments are believed to be free
> of any virus or other defect that might affect any computer system
> into which it is received and opened, it is the responsibility of the
> recipient to ensure that it is virus free and no responsibility is
> accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.


--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.
Reply | Threaded
Open this post in threaded view
|

Re: How to disable tls 1.0 and tls 1.1

Hubert Kario
On Friday, 12 April 2019 06:47:54 CEST Chethan Kumar wrote:
> > there is no "min" version in Client Hello, the version in record layer is
> > irrelevant and used only for backwards compatibility *NOT* for
> > negotiation
> Thank you for the information. But have a doubt, then what is the importance
> of SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
> introduced in 1.1.X along with SSL_CTX_set_options().

when the minimum set is higher than what the server answers with, the *client*
will reject the connection after receiving ServerHello

that is:
when SSL_CTX_set_min_proto_version is set to tls 1.2,
SSL_CTX_set_max_proto_version si set to tls 1.3
and the server replies with ServerHello.version of (3, 2) i.e. TLS 1.1
the client will abort the connection
 
> I would like to know how to disable TLSv1.0 and 1.1 using configure
> option[CONFOPTS] in Makefile.

what evidence you have that what you do is ineffective?

why you're not using?
./config no-tls1 no-tls1_1

> Thanks in advance,
> Chethan Kumar
>
>
> -----Original Message-----
> From: Hubert Kario [mailto:[hidden email]]
> Sent: Thursday, April 11, 2019 7:08 PM
> To: [hidden email]
> Cc: Chethan Kumar <[hidden email]>
> Subject: Re: How to disable tls 1.0 and tls 1.1
>
> On Thursday, 11 April 2019 15:25:51 CEST Chethan Kumar wrote:
>
> > Adding to previous mail,
> > We tried -DSSL_OP_NO_TLSv1   -DSSL_OP_NO_TLSv1_1  along with disabling
> > SSLv2
 and v1 but still client hello is sent using min and max as TLS1.0

> > and TLS1.2.
>
>
> there is no "min" version in Client Hello, the version in record layer is
> irrelevant and used only for backwards compatibility *NOT* for negotiation
>
>
> > Any idea what is wrong in our options and what should be used instead.?
>
>
> compile an openssl server with TLS 1.1 enabled, run openssl s_server -tls1_1
> to enable just TLS 1.1 and see if your production compile can connect
 

>
> > Thanks in advance,
> > Chethan Kumar
> >
> > From: openssl-users [mailto:[hidden email]] On
> > Behalf Of Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM
> > To: [hidden email]
> > Subject: How to disable tls 1.0 and tls 1.1
> >
> > Dear all,
> >
> > Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while
> > compiling openssl package. I am using 1.0.2n openssl version and
> > disabled
> > SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and
> > -DOPENSSL_NO_SSL2.
> >
> > I also have a doubt on difference between -DSSL_OP_NO_SSLv2,
> > -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please explain
> > the difference.
> >
> > Thanks in advance,
> > Chethan Kumar
> >
> >
> > The information contained in this e-mail message and in any
> > attachments/annexure/appendices is confidential to the recipient and
> > may contain privileged information. If you are not the intended
> > recipient, please notify the sender and delete the message along with
> > any attachments/annexure/appendices. You should not disclose, copy or
> > otherwise use the information contained in the message or any
> > annexure. Any views expressed in this e-mail are those of the
> > individual sender except where the sender specifically states them to
> > be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> > Although this transmission and any attachments are believed to be free
> > of any virus or other defect that might affect any computer system
> > into which it is received and opened, it is the responsibility of the
> > recipient to ensure that it is virus free and no responsibility is
> > accepted by Toshiba Software India Pvt. Ltd, for any loss or damage
> > arising in any way from its use. The information contained in this
> > e-mail message and in any attachments/annexure/appendices is
> > confidential to the recipient and may contain privileged information.
> > If you are not the intended recipient, please notify the sender and
> > delete the message along with any attachments/annexure/appendices. You
> > should not disclose, copy or otherwise use the information contained
> > in the message or any annexure. Any views expressed in this e-mail are
> > those of the individual sender except where the sender specifically
> > states them to be the views of Toshiba Software India Pvt. Ltd.
> > (TSIP),Bangalore.
> >
> > Although this transmission and any attachments are believed to be free
> > of any virus or other defect that might affect any computer system
> > into which it is received and opened, it is the responsibility of the
> > recipient to ensure that it is virus free and no responsibility is
> > accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> > damage arising in any way from its use.
>
>
>
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the
> recipient and may contain privileged information.
> If you are not the intended recipient, please notify the
> sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose,
> copy or otherwise use the information contained in the
> message or any annexure. Any views expressed in this e-mail
> are those of the individual sender except where the sender
> specifically states them to be the views of
> Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
>
> Although this transmission and any attachments are believed to be
> free of any virus or other defect that might affect any computer
> system into which it is received and opened, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility
> is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: How to disable tls 1.0 and tls 1.1

Chethan Kumar
>what evidence you have that what you do is ineffective?
I tried connecting to some host by executing curl command with --tlsv1.1 and --tlsv1.0 options and am able to connect successfully.

>why you're not using?
>./config no-tls1 no-tls1_1
I have used these options in Makefile but still communication with TLS1.0 and TLS1.1 is working.
Confirmed by checking openssl/opensslconf.h file for OPENSSL_NO_TLS1 and OPENSSL_NO_TLS1_1 macros and macros are generated.

Kindly let me know what could be changed to disable TLS 1.0 and 1.1 at least by changing code in openssl.

-----Original Message-----
From: Hubert Kario [mailto:[hidden email]]
Sent: Friday, April 12, 2019 4:50 PM
To: Chethan Kumar <[hidden email]>
Cc: [hidden email]
Subject: Re: How to disable tls 1.0 and tls 1.1

On Friday, 12 April 2019 06:47:54 CEST Chethan Kumar wrote:
> > there is no "min" version in Client Hello, the version in record
> > layer is irrelevant and used only for backwards compatibility *NOT*
> > for negotiation
> Thank you for the information. But have a doubt, then what is the
> importance of SSL_CTX_set_min_proto_version() and
> SSL_CTX_set_max_proto_version() introduced in 1.1.X along with SSL_CTX_set_options().

when the minimum set is higher than what the server answers with, the *client* will reject the connection after receiving ServerHello

that is:
when SSL_CTX_set_min_proto_version is set to tls 1.2, SSL_CTX_set_max_proto_version si set to tls 1.3 and the server replies with ServerHello.version of (3, 2) i.e. TLS 1.1 the client will abort the connection
 
> I would like to know how to disable TLSv1.0 and 1.1 using configure
> option[CONFOPTS] in Makefile.

what evidence you have that what you do is ineffective?

why you're not using?
./config no-tls1 no-tls1_1

> Thanks in advance,
> Chethan Kumar
>
>
> -----Original Message-----
> From: Hubert Kario [mailto:[hidden email]]
> Sent: Thursday, April 11, 2019 7:08 PM
> To: [hidden email]
> Cc: Chethan Kumar <[hidden email]>
> Subject: Re: How to disable tls 1.0 and tls 1.1
>
> On Thursday, 11 April 2019 15:25:51 CEST Chethan Kumar wrote:
>
> > Adding to previous mail,
> > We tried -DSSL_OP_NO_TLSv1   -DSSL_OP_NO_TLSv1_1  along with disabling
> > SSLv2
 and v1 but still client hello is sent using min and max as TLS1.0

> > and TLS1.2.
>
>
> there is no "min" version in Client Hello, the version in record layer
> is irrelevant and used only for backwards compatibility *NOT* for
> negotiation
>
>
> > Any idea what is wrong in our options and what should be used instead.?
>
>
> compile an openssl server with TLS 1.1 enabled, run openssl s_server
> -tls1_1 to enable just TLS 1.1 and see if your production compile can
> connect
 

>
> > Thanks in advance,
> > Chethan Kumar
> >
> > From: openssl-users [mailto:[hidden email]] On
> > Behalf Of Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM
> > To: [hidden email]
> > Subject: How to disable tls 1.0 and tls 1.1
> >
> > Dear all,
> >
> > Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while
> > compiling openssl package. I am using 1.0.2n openssl version and
> > disabled
> > SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and
> > -DOPENSSL_NO_SSL2.
> >
> > I also have a doubt on difference between -DSSL_OP_NO_SSLv2,
> > -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please explain
> > the difference.
> >
> > Thanks in advance,
> > Chethan Kumar
> >
> >
> > The information contained in this e-mail message and in any
> > attachments/annexure/appendices is confidential to the recipient and
> > may contain privileged information. If you are not the intended
> > recipient, please notify the sender and delete the message along
> > with any attachments/annexure/appendices. You should not disclose,
> > copy or otherwise use the information contained in the message or
> > any annexure. Any views expressed in this e-mail are those of the
> > individual sender except where the sender specifically states them
> > to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> > Although this transmission and any attachments are believed to be
> > free of any virus or other defect that might affect any computer
> > system into which it is received and opened, it is the
> > responsibility of the recipient to ensure that it is virus free and
> > no responsibility is accepted by Toshiba Software India Pvt. Ltd,
> > for any loss or damage arising in any way from its use. The
> > information contained in this e-mail message and in any
> > attachments/annexure/appendices is confidential to the recipient and may contain privileged information.
> > If you are not the intended recipient, please notify the sender and
> > delete the message along with any attachments/annexure/appendices.
> > You should not disclose, copy or otherwise use the information
> > contained in the message or any annexure. Any views expressed in
> > this e-mail are those of the individual sender except where the
> > sender specifically states them to be the views of Toshiba Software India Pvt. Ltd.
> > (TSIP),Bangalore.
> >
> > Although this transmission and any attachments are believed to be
> > free of any virus or other defect that might affect any computer
> > system into which it is received and opened, it is the
> > responsibility of the recipient to ensure that it is virus free and
> > no responsibility is accepted by Toshiba Embedded Software India
> > Pvt. Ltd, for any loss or damage arising in any way from its use.
>
>
>
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic The
> information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the recipient and
> may contain privileged information.
> If you are not the intended recipient, please notify the sender and
> delete the message along with any attachments/annexure/appendices. You
> should not disclose, copy or otherwise use the information contained
> in the message or any annexure. Any views expressed in this e-mail are
> those of the individual sender except where the sender specifically
> states them to be the views of Toshiba Software India Pvt. Ltd.
> (TSIP),Bangalore.
>
> Although this transmission and any attachments are believed to be free
> of any virus or other defect that might affect any computer system
> into which it is received and opened, it is the responsibility of the
> recipient to ensure that it is virus free and no responsibility is
> accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.


--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.
Reply | Threaded
Open this post in threaded view
|

Re: How to disable tls 1.0 and tls 1.1

Hubert Kario
On Friday, 12 April 2019 13:54:24 CEST Chethan Kumar wrote:
> >what evidence you have that what you do is ineffective?
>
> I tried connecting to some host by executing curl command with --tlsv1.1 and
> --tlsv1.0 options and am able to connect successfully.

Please note that curl developers have recently changed the meaning of those
options, please check if they do what you expect them to do by inspecting the
curl man page.

see: https://github.com/curl/curl/issues/2918

> >why you're not using?
> >./config no-tls1 no-tls1_1
>
> I have used these options in Makefile but still communication with TLS1.0
> and TLS1.1 is working.

what you mean by "used them in Makefile", I'm talking about configure script

> Confirmed by checking openssl/opensslconf.h file
> for OPENSSL_NO_TLS1 and OPENSSL_NO_TLS1_1 macros and macros are generated.
> Kindly let me know what could be changed to disable TLS 1.0 and 1.1 at least
> by changing code in openssl.

macros may still be generated because the API is retained for ABI
compatibility, do adding `no-tls1-method` and `no-tls1_1-method` produce the
expected result?
 

> -----Original Message-----
> From: Hubert Kario [mailto:[hidden email]]
> Sent: Friday, April 12, 2019 4:50 PM
> To: Chethan Kumar <[hidden email]>
> Cc: [hidden email]
> Subject: Re: How to disable tls 1.0 and tls 1.1
>
> On Friday, 12 April 2019 06:47:54 CEST Chethan Kumar wrote:
>
> > > there is no "min" version in Client Hello, the version in record
> > > layer is irrelevant and used only for backwards compatibility *NOT*
> > > for negotiation
> >
> > Thank you for the information. But have a doubt, then what is the
> > importance of SSL_CTX_set_min_proto_version() and
> > SSL_CTX_set_max_proto_version() introduced in 1.1.X along with
> > SSL_CTX_set_options().
>
> when the minimum set is higher than what the server answers with, the
> *client* will reject the connection after receiving ServerHello
 
> that is:
> when SSL_CTX_set_min_proto_version is set to tls 1.2,
> SSL_CTX_set_max_proto_version si set to tls 1.3 and the server replies with
> ServerHello.version of (3, 2) i.e. TLS 1.1 the client will abort the
> connection
 

>
> > I would like to know how to disable TLSv1.0 and 1.1 using configure
> > option[CONFOPTS] in Makefile.
>
>
> what evidence you have that what you do is ineffective?
>
> why you're not using?
> ./config no-tls1 no-tls1_1
>
>
> > Thanks in advance,
> > Chethan Kumar
> >
> >
> > -----Original Message-----
> > From: Hubert Kario [mailto:[hidden email]]
> > Sent: Thursday, April 11, 2019 7:08 PM
> > To: [hidden email]
> > Cc: Chethan Kumar <[hidden email]>
> > Subject: Re: How to disable tls 1.0 and tls 1.1
> >
> > On Thursday, 11 April 2019 15:25:51 CEST Chethan Kumar wrote:
> >
> >
> > > Adding to previous mail,
> > > We tried -DSSL_OP_NO_TLSv1   -DSSL_OP_NO_TLSv1_1  along with disabling
> > > SSLv2
>
>  and v1 but still client hello is sent using min and max as TLS1.0
>
> > > and TLS1.2.
> >
> >
> >
> > there is no "min" version in Client Hello, the version in record layer
> > is irrelevant and used only for backwards compatibility *NOT* for
> > negotiation
> >
> >
> >
> > > Any idea what is wrong in our options and what should be used instead.?
> >
> >
> >
> > compile an openssl server with TLS 1.1 enabled, run openssl s_server
> > -tls1_1 to enable just TLS 1.1 and see if your production compile can
> > connect
>
>  
>
> >
> >
> > > Thanks in advance,
> > > Chethan Kumar
> > >
> > > From: openssl-users [mailto:[hidden email]] On
> > > Behalf Of Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM
> > > To: [hidden email]
> > > Subject: How to disable tls 1.0 and tls 1.1
> > >
> > > Dear all,
> > >
> > > Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while
> > > compiling openssl package. I am using 1.0.2n openssl version and
> > > disabled
> > > SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and
> > > -DOPENSSL_NO_SSL2.
> > >
> > > I also have a doubt on difference between -DSSL_OP_NO_SSLv2,
> > > -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please explain
> > > the difference.
> > >
> > > Thanks in advance,
> > > Chethan Kumar
> > >
> > >
> > > The information contained in this e-mail message and in any
> > > attachments/annexure/appendices is confidential to the recipient and
> > > may contain privileged information. If you are not the intended
> > > recipient, please notify the sender and delete the message along
> > > with any attachments/annexure/appendices. You should not disclose,
> > > copy or otherwise use the information contained in the message or
> > > any annexure. Any views expressed in this e-mail are those of the
> > > individual sender except where the sender specifically states them
> > > to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> > > Although this transmission and any attachments are believed to be
> > > free of any virus or other defect that might affect any computer
> > > system into which it is received and opened, it is the
> > > responsibility of the recipient to ensure that it is virus free and
> > > no responsibility is accepted by Toshiba Software India Pvt. Ltd,
> > > for any loss or damage arising in any way from its use. The
> > > information contained in this e-mail message and in any
> > > attachments/annexure/appendices is confidential to the recipient and may
> > > contain privileged information.
 If you are not the intended recipient,
> > > please notify the sender and delete the message along with any
> > > attachments/annexure/appendices. You should not disclose, copy or
> > > otherwise use the information
> > > contained in the message or any annexure. Any views expressed in
> > > this e-mail are those of the individual sender except where the
> > > sender specifically states them to be the views of Toshiba Software
> > > India Pvt. Ltd.
 (TSIP),Bangalore.

> > >
> > > Although this transmission and any attachments are believed to be
> > > free of any virus or other defect that might affect any computer
> > > system into which it is received and opened, it is the
> > > responsibility of the recipient to ensure that it is virus free and
> > > no responsibility is accepted by Toshiba Embedded Software India
> > > Pvt. Ltd, for any loss or damage arising in any way from its use.
> >
> >
> >
> >
> > --
> > Regards,
> > Hubert Kario
> > Senior Quality Engineer, QE BaseOS Security team
> > Web: www.cz.redhat.com
> > Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic The
> > information contained in this e-mail message and in any
> > attachments/annexure/appendices is confidential to the recipient and
> > may contain privileged information.
> > If you are not the intended recipient, please notify the sender and
> > delete the message along with any attachments/annexure/appendices. You
> > should not disclose, copy or otherwise use the information contained
> > in the message or any annexure. Any views expressed in this e-mail are
> > those of the individual sender except where the sender specifically
> > states them to be the views of Toshiba Software India Pvt. Ltd.
> > (TSIP),Bangalore.
> >
> > Although this transmission and any attachments are believed to be free
> > of any virus or other defect that might affect any computer system
> > into which it is received and opened, it is the responsibility of the
> > recipient to ensure that it is virus free and no responsibility is
> > accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> > damage arising in any way from its use.
>
>
>
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the
> recipient and may contain privileged information.
> If you are not the intended recipient, please notify the
> sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose,
> copy or otherwise use the information contained in the
> message or any annexure. Any views expressed in this e-mail
> are those of the individual sender except where the sender
> specifically states them to be the views of
> Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
>
> Although this transmission and any attachments are believed to be
> free of any virus or other defect that might affect any computer
> system into which it is received and opened, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility
> is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: How to disable tls 1.0 and tls 1.1

Chethan Kumar
>Please note that curl developers have recently changed the meaning of those options, please check if they do what you expect them to do by inspecting the curl man page.
Thanks for the information. I understood it.
I also used openssl s_client to communicate with server using below command.
openssl s_client -connect 172.28.80.66:8080 -tls1_1
It says " unknown option -tls1_1"
Same for -tls1.

And even if I disable TLSv1.2 and execute  
openssl s_client -connect 172.28.80.66:8080 -no_tls1_2
WARNING: can't open config file: /usr/local/ebx/ssl/openssl.cnf
CONNECTED(00000003)
2001716872:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 113 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1555075165
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

>what you mean by "used them in Makefile", I'm talking about configure script
I added these options in Makefile like,
CONFOPTS += linux-ppc -DOPENSSL_NO_SSL3 -DOPENSSL_NO_SSL2 -DSSL_OP_NO_SSLv2 no-tls1 no-tls1_1 no-tls1-method no-tls1_1-method

> do adding `no-tls1-method` and `no-tls1_1-method` produce the expected result?
Yes, even after adding these options it produces the same result.

I am confused what is the problem.
Let me know if there is any other way to disable TLSv1.0 and TLS1.1


Thanks in advance,
Chethan Kumar
-----Original Message-----
From: Hubert Kario [mailto:[hidden email]]
Sent: Friday, April 12, 2019 6:11 PM
To: Chethan Kumar <[hidden email]>
Cc: [hidden email]
Subject: Re: How to disable tls 1.0 and tls 1.1

On Friday, 12 April 2019 13:54:24 CEST Chethan Kumar wrote:
> >what evidence you have that what you do is ineffective?
>
> I tried connecting to some host by executing curl command with
> --tlsv1.1 and
> --tlsv1.0 options and am able to connect successfully.

Please note that curl developers have recently changed the meaning of those options, please check if they do what you expect them to do by inspecting the curl man page.

see: https://github.com/curl/curl/issues/2918

> >why you're not using?
> >./config no-tls1 no-tls1_1
>
> I have used these options in Makefile but still communication with
> TLS1.0 and TLS1.1 is working.

what you mean by "used them in Makefile", I'm talking about configure script

> Confirmed by checking openssl/opensslconf.h file for OPENSSL_NO_TLS1
> and OPENSSL_NO_TLS1_1 macros and macros are generated.
> Kindly let me know what could be changed to disable TLS 1.0 and 1.1 at
> least by changing code in openssl.

macros may still be generated because the API is retained for ABI compatibility, do adding `no-tls1-method` and `no-tls1_1-method` produce the expected result?
 

> -----Original Message-----
> From: Hubert Kario [mailto:[hidden email]]
> Sent: Friday, April 12, 2019 4:50 PM
> To: Chethan Kumar <[hidden email]>
> Cc: [hidden email]
> Subject: Re: How to disable tls 1.0 and tls 1.1
>
> On Friday, 12 April 2019 06:47:54 CEST Chethan Kumar wrote:
>
> > > there is no "min" version in Client Hello, the version in record
> > > layer is irrelevant and used only for backwards compatibility
> > > *NOT* for negotiation
> >
> > Thank you for the information. But have a doubt, then what is the
> > importance of SSL_CTX_set_min_proto_version() and
> > SSL_CTX_set_max_proto_version() introduced in 1.1.X along with
> > SSL_CTX_set_options().
>
> when the minimum set is higher than what the server answers with, the
> *client* will reject the connection after receiving ServerHello
 
> that is:
> when SSL_CTX_set_min_proto_version is set to tls 1.2,
> SSL_CTX_set_max_proto_version si set to tls 1.3 and the server replies
> with ServerHello.version of (3, 2) i.e. TLS 1.1 the client will abort
> the connection
 

>
> > I would like to know how to disable TLSv1.0 and 1.1 using configure
> > option[CONFOPTS] in Makefile.
>
>
> what evidence you have that what you do is ineffective?
>
> why you're not using?
> ./config no-tls1 no-tls1_1
>
>
> > Thanks in advance,
> > Chethan Kumar
> >
> >
> > -----Original Message-----
> > From: Hubert Kario [mailto:[hidden email]]
> > Sent: Thursday, April 11, 2019 7:08 PM
> > To: [hidden email]
> > Cc: Chethan Kumar <[hidden email]>
> > Subject: Re: How to disable tls 1.0 and tls 1.1
> >
> > On Thursday, 11 April 2019 15:25:51 CEST Chethan Kumar wrote:
> >
> >
> > > Adding to previous mail,
> > > We tried -DSSL_OP_NO_TLSv1   -DSSL_OP_NO_TLSv1_1  along with disabling
> > > SSLv2
>
>  and v1 but still client hello is sent using min and max as TLS1.0
>
> > > and TLS1.2.
> >
> >
> >
> > there is no "min" version in Client Hello, the version in record
> > layer is irrelevant and used only for backwards compatibility *NOT*
> > for negotiation
> >
> >
> >
> > > Any idea what is wrong in our options and what should be used instead.?
> >
> >
> >
> > compile an openssl server with TLS 1.1 enabled, run openssl s_server
> > -tls1_1 to enable just TLS 1.1 and see if your production compile
> > can connect
>
>  
>
> >
> >
> > > Thanks in advance,
> > > Chethan Kumar
> > >
> > > From: openssl-users [mailto:[hidden email]] On
> > > Behalf Of Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM
> > > To: [hidden email]
> > > Subject: How to disable tls 1.0 and tls 1.1
> > >
> > > Dear all,
> > >
> > > Kindly help me out in knowing how to disable TLS1.0 and TLS1.1
> > > while compiling openssl package. I am using 1.0.2n openssl version
> > > and disabled
> > > SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and
> > > -DOPENSSL_NO_SSL2.
> > >
> > > I also have a doubt on difference between -DSSL_OP_NO_SSLv2,
> > > -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please
> > > explain the difference.
> > >
> > > Thanks in advance,
> > > Chethan Kumar
> > >
> > >
> > > The information contained in this e-mail message and in any
> > > attachments/annexure/appendices is confidential to the recipient
> > > and may contain privileged information. If you are not the
> > > intended recipient, please notify the sender and delete the
> > > message along with any attachments/annexure/appendices. You should
> > > not disclose, copy or otherwise use the information contained in
> > > the message or any annexure. Any views expressed in this e-mail
> > > are those of the individual sender except where the sender
> > > specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> > > Although this transmission and any attachments are believed to be
> > > free of any virus or other defect that might affect any computer
> > > system into which it is received and opened, it is the
> > > responsibility of the recipient to ensure that it is virus free
> > > and no responsibility is accepted by Toshiba Software India Pvt.
> > > Ltd, for any loss or damage arising in any way from its use. The
> > > information contained in this e-mail message and in any
> > > attachments/annexure/appendices is confidential to the recipient
> > > and may contain privileged information.
 If you are not the intended recipient,
> > > please notify the sender and delete the message along with any
> > > attachments/annexure/appendices. You should not disclose, copy or
> > > otherwise use the information contained in the message or any
> > > annexure. Any views expressed in this e-mail are those of the
> > > individual sender except where the sender specifically states them
> > > to be the views of Toshiba Software India Pvt. Ltd.
 (TSIP),Bangalore.

> > >
> > > Although this transmission and any attachments are believed to be
> > > free of any virus or other defect that might affect any computer
> > > system into which it is received and opened, it is the
> > > responsibility of the recipient to ensure that it is virus free
> > > and no responsibility is accepted by Toshiba Embedded Software
> > > India Pvt. Ltd, for any loss or damage arising in any way from its use.
> >
> >
> >
> >
> > --
> > Regards,
> > Hubert Kario
> > Senior Quality Engineer, QE BaseOS Security team
> > Web: www.cz.redhat.com
> > Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
> > The information contained in this e-mail message and in any
> > attachments/annexure/appendices is confidential to the recipient and
> > may contain privileged information.
> > If you are not the intended recipient, please notify the sender and
> > delete the message along with any attachments/annexure/appendices.
> > You should not disclose, copy or otherwise use the information
> > contained in the message or any annexure. Any views expressed in
> > this e-mail are those of the individual sender except where the
> > sender specifically states them to be the views of Toshiba Software India Pvt. Ltd.
> > (TSIP),Bangalore.
> >
> > Although this transmission and any attachments are believed to be
> > free of any virus or other defect that might affect any computer
> > system into which it is received and opened, it is the
> > responsibility of the recipient to ensure that it is virus free and
> > no responsibility is accepted by Toshiba Embedded Software India
> > Pvt. Ltd, for any loss or damage arising in any way from its use.
>
>
>
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic The
> information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the recipient and
> may contain privileged information.
> If you are not the intended recipient, please notify the sender and
> delete the message along with any attachments/annexure/appendices. You
> should not disclose, copy or otherwise use the information contained
> in the message or any annexure. Any views expressed in this e-mail are
> those of the individual sender except where the sender specifically
> states them to be the views of Toshiba Software India Pvt. Ltd.
> (TSIP),Bangalore.
>
> Although this transmission and any attachments are believed to be free
> of any virus or other defect that might affect any computer system
> into which it is received and opened, it is the responsibility of the
> recipient to ensure that it is virus free and no responsibility is
> accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.


--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.
Reply | Threaded
Open this post in threaded view
|

Re: How to disable tls 1.0 and tls 1.1

Hubert Kario
On Friday, 12 April 2019 15:37:37 CEST Chethan Kumar wrote:

> >Please note that curl developers have recently changed the meaning of those
> >options, please check if they do what you expect them to do by inspecting
> >the curl man page.
> Thanks for the information. I understood it.
> I also used openssl s_client to communicate with server using below
> command.
> openssl s_client -connect 172.28.80.66:8080 -tls1_1
> It says " unknown option -tls1_1"
> Same for -tls1.
>
> And even if I disable TLSv1.2 and execute  
> openssl s_client -connect 172.28.80.66:8080 -no_tls1_2
> WARNING: can't open config file: /usr/local/ebx/ssl/openssl.cnf
> CONNECTED(00000003)
> 2001716872:error:140790E5:SSL routines:ssl23_write:ssl handshake
> failure:s23_lib.c:177:
 ---

> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 113 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : 0000
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1555075165
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
that looks like TLS 1.1 being disabled to me
 
> >what you mean by "used them in Makefile", I'm talking about configure
> >script
> I added these options in Makefile like,
> CONFOPTS += linux-ppc -DOPENSSL_NO_SSL3 -DOPENSSL_NO_SSL2 -DSSL_OP_NO_SSLv2
> no-tls1 no-tls1_1 no-tls1-method no-tls1_1-method
 
>
> > do adding `no-tls1-method` and `no-tls1_1-method` produce the expected
> > result?
> Yes, even after adding these options it produces the same result.
>
> I am confused what is the problem.
> Let me know if there is any other way to disable TLSv1.0 and TLS1.1

sorry, I'm not familiar with openssl compilation configuration to say if this
is expected and correct behaviour

> Thanks in advance,
> Chethan Kumar
> -----Original Message-----
> From: Hubert Kario [mailto:[hidden email]]
> Sent: Friday, April 12, 2019 6:11 PM
> To: Chethan Kumar <[hidden email]>
> Cc: [hidden email]
> Subject: Re: How to disable tls 1.0 and tls 1.1
>
> On Friday, 12 April 2019 13:54:24 CEST Chethan Kumar wrote:
>
> > >what evidence you have that what you do is ineffective?
> >
> >
> > I tried connecting to some host by executing curl command with
> > --tlsv1.1 and
> > --tlsv1.0 options and am able to connect successfully.
>
>
> Please note that curl developers have recently changed the meaning of those
> options, please check if they do what you expect them to do by inspecting
> the curl man page.
 

> see: https://github.com/curl/curl/issues/2918
>
>
> > >why you're not using?
> > >./config no-tls1 no-tls1_1
> >
> >
> > I have used these options in Makefile but still communication with
> > TLS1.0 and TLS1.1 is working.
>
>
> what you mean by "used them in Makefile", I'm talking about configure
> script
 

>
> > Confirmed by checking openssl/opensslconf.h file for OPENSSL_NO_TLS1
> > and OPENSSL_NO_TLS1_1 macros and macros are generated.
> > Kindly let me know what could be changed to disable TLS 1.0 and 1.1 at
> > least by changing code in openssl.
>
>
> macros may still be generated because the API is retained for ABI
> compatibility, do adding `no-tls1-method` and `no-tls1_1-method` produce
> the expected result?
 

>
> > -----Original Message-----
> > From: Hubert Kario [mailto:[hidden email]]
> > Sent: Friday, April 12, 2019 4:50 PM
> > To: Chethan Kumar <[hidden email]>
> > Cc: [hidden email]
> > Subject: Re: How to disable tls 1.0 and tls 1.1
> >
> > On Friday, 12 April 2019 06:47:54 CEST Chethan Kumar wrote:
> >
> >
> > > > there is no "min" version in Client Hello, the version in record
> > > > layer is irrelevant and used only for backwards compatibility
> > > > *NOT* for negotiation
> > >
> > >
> > > Thank you for the information. But have a doubt, then what is the
> > > importance of SSL_CTX_set_min_proto_version() and
> > > SSL_CTX_set_max_proto_version() introduced in 1.1.X along with
> > > SSL_CTX_set_options().
> >
> >
> > when the minimum set is higher than what the server answers with, the
> > *client* will reject the connection after receiving ServerHello
>
>  
>
> > that is:
> > when SSL_CTX_set_min_proto_version is set to tls 1.2,
> > SSL_CTX_set_max_proto_version si set to tls 1.3 and the server replies
> > with ServerHello.version of (3, 2) i.e. TLS 1.1 the client will abort
> > the connection
>
>  
>
> >
> >
> > > I would like to know how to disable TLSv1.0 and 1.1 using configure
> > > option[CONFOPTS] in Makefile.
> >
> >
> >
> > what evidence you have that what you do is ineffective?
> >
> > why you're not using?
> > ./config no-tls1 no-tls1_1
> >
> >
> >
> > > Thanks in advance,
> > > Chethan Kumar
> > >
> > >
> > > -----Original Message-----
> > > From: Hubert Kario [mailto:[hidden email]]
> > > Sent: Thursday, April 11, 2019 7:08 PM
> > > To: [hidden email]
> > > Cc: Chethan Kumar <[hidden email]>
> > > Subject: Re: How to disable tls 1.0 and tls 1.1
> > >
> > > On Thursday, 11 April 2019 15:25:51 CEST Chethan Kumar wrote:
> > >
> > >
> > >
> > > > Adding to previous mail,
> > > > We tried -DSSL_OP_NO_TLSv1   -DSSL_OP_NO_TLSv1_1  along with
> > > > disabling
> > > > SSLv2
> >
> >
> >
> >  and v1 but still client hello is sent using min and max as TLS1.0
> >
> >
> >
> > > > and TLS1.2.
> > >
> > >
> > >
> > >
> > > there is no "min" version in Client Hello, the version in record
> > > layer is irrelevant and used only for backwards compatibility *NOT*
> > > for negotiation
> > >
> > >
> > >
> > >
> > > > Any idea what is wrong in our options and what should be used
> > > > instead.?
> > >
> > >
> > >
> > >
> > > compile an openssl server with TLS 1.1 enabled, run openssl s_server
> > > -tls1_1 to enable just TLS 1.1 and see if your production compile
> > > can connect
> >
> >
> >
> >  
> >
> >
> >
> > >
> > >
> > >
> > > > Thanks in advance,
> > > > Chethan Kumar
> > > >
> > > > From: openssl-users [mailto:[hidden email]] On
> > > > Behalf Of Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM
> > > > To: [hidden email]
> > > > Subject: How to disable tls 1.0 and tls 1.1
> > > >
> > > > Dear all,
> > > >
> > > > Kindly help me out in knowing how to disable TLS1.0 and TLS1.1
> > > > while compiling openssl package. I am using 1.0.2n openssl version
> > > > and disabled
> > > > SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and
> > > > -DOPENSSL_NO_SSL2.
> > > >
> > > > I also have a doubt on difference between -DSSL_OP_NO_SSLv2,
> > > > -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please
> > > > explain the difference.
> > > >
> > > > Thanks in advance,
> > > > Chethan Kumar
> > > >
> > > >
> > > > The information contained in this e-mail message and in any
> > > > attachments/annexure/appendices is confidential to the recipient
> > > > and may contain privileged information. If you are not the
> > > > intended recipient, please notify the sender and delete the
> > > > message along with any attachments/annexure/appendices. You should
> > > > not disclose, copy or otherwise use the information contained in
> > > > the message or any annexure. Any views expressed in this e-mail
> > > > are those of the individual sender except where the sender
> > > > specifically states them to be the views of Toshiba Software India
> > > > Pvt. Ltd. (TSIP),Bangalore.
 Although this transmission and any

> > > > attachments are believed to be free of any virus or other defect that
> > > > might affect any computer system into which it is received and
> > > > opened, it is the
> > > > responsibility of the recipient to ensure that it is virus free
> > > > and no responsibility is accepted by Toshiba Software India Pvt.
> > > > Ltd, for any loss or damage arising in any way from its use. The
> > > > information contained in this e-mail message and in any
> > > > attachments/annexure/appendices is confidential to the recipient
> > > > and may contain privileged information.
>
>  If you are not the intended recipient,
>
> > > > please notify the sender and delete the message along with any
> > > > attachments/annexure/appendices. You should not disclose, copy or
> > > > otherwise use the information contained in the message or any
> > > > annexure. Any views expressed in this e-mail are those of the
> > > > individual sender except where the sender specifically states them
> > > > to be the views of Toshiba Software India Pvt. Ltd.
>
>  (TSIP),Bangalore.
>
> > > >
> > > > Although this transmission and any attachments are believed to be
> > > > free of any virus or other defect that might affect any computer
> > > > system into which it is received and opened, it is the
> > > > responsibility of the recipient to ensure that it is virus free
> > > > and no responsibility is accepted by Toshiba Embedded Software
> > > > India Pvt. Ltd, for any loss or damage arising in any way from its
> > > > use.
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > > Hubert Kario
> > > Senior Quality Engineer, QE BaseOS Security team
> > > Web: www.cz.redhat.com
> > > Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
> > > The information contained in this e-mail message and in any
> > > attachments/annexure/appendices is confidential to the recipient and
> > > may contain privileged information.
> > > If you are not the intended recipient, please notify the sender and
> > > delete the message along with any attachments/annexure/appendices.
> > > You should not disclose, copy or otherwise use the information
> > > contained in the message or any annexure. Any views expressed in
> > > this e-mail are those of the individual sender except where the
> > > sender specifically states them to be the views of Toshiba Software
> > > India Pvt. Ltd.
 (TSIP),Bangalore.

> > >
> > > Although this transmission and any attachments are believed to be
> > > free of any virus or other defect that might affect any computer
> > > system into which it is received and opened, it is the
> > > responsibility of the recipient to ensure that it is virus free and
> > > no responsibility is accepted by Toshiba Embedded Software India
> > > Pvt. Ltd, for any loss or damage arising in any way from its use.
> >
> >
> >
> >
> > --
> > Regards,
> > Hubert Kario
> > Senior Quality Engineer, QE BaseOS Security team
> > Web: www.cz.redhat.com
> > Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic The
> > information contained in this e-mail message and in any
> > attachments/annexure/appendices is confidential to the recipient and
> > may contain privileged information.
> > If you are not the intended recipient, please notify the sender and
> > delete the message along with any attachments/annexure/appendices. You
> > should not disclose, copy or otherwise use the information contained
> > in the message or any annexure. Any views expressed in this e-mail are
> > those of the individual sender except where the sender specifically
> > states them to be the views of Toshiba Software India Pvt. Ltd.
> > (TSIP),Bangalore.
> >
> > Although this transmission and any attachments are believed to be free
> > of any virus or other defect that might affect any computer system
> > into which it is received and opened, it is the responsibility of the
> > recipient to ensure that it is virus free and no responsibility is
> > accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> > damage arising in any way from its use.
>
>
>
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the
> recipient and may contain privileged information.
> If you are not the intended recipient, please notify the
> sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose,
> copy or otherwise use the information contained in the
> message or any annexure. Any views expressed in this e-mail
> are those of the individual sender except where the sender
> specifically states them to be the views of
> Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
>
> Although this transmission and any attachments are believed to be
> free of any virus or other defect that might affect any computer
> system into which it is received and opened, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility
> is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to disable tls 1.0 and tls 1.1

Matt Caswell-2
In reply to this post by Chethan Kumar


On 12/04/2019 14:37, Chethan Kumar wrote:
>> Please note that curl developers have recently changed the meaning of those options, please check if they do what you expect them to do by inspecting the curl man page.
> Thanks for the information. I understood it.
> I also used openssl s_client to communicate with server using below command.
> openssl s_client -connect 172.28.80.66:8080 -tls1_1
> It says " unknown option -tls1_1"
> Same for -tls1.

If s_client doesn't recognise the -tls1_1 and -tls1 options then this mean that
TLSv1.1 and TLSv1.0 have been disabled.

>
> And even if I disable TLSv1.2 and execute  
> openssl s_client -connect 172.28.80.66:8080 -no_tls1_2
> WARNING: can't open config file: /usr/local/ebx/ssl/openssl.cnf
> CONNECTED(00000003)
> 2001716872:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

So you attempt a connection and ask s_client to disable TLSv1.2 at runtime.
You've already asked it to disable TLSv1.1 and TLSv1.0 at compile time. Since
SSLv3 is also compiled out by default there are no protocol versions left so the
expected result will be a handshake failure - which is exactly what you've got.

>> what you mean by "used them in Makefile", I'm talking about configure script
> I added these options in Makefile like,
> CONFOPTS += linux-ppc -DOPENSSL_NO_SSL3 -DOPENSSL_NO_SSL2 -DSSL_OP_NO_SSLv2 no-tls1 no-tls1_1 no-tls1-method no-tls1_1-method

*Don't edit the Makefile*. You only need to pass options to Configure.

>
>> do adding `no-tls1-method` and `no-tls1_1-method` produce the expected result?
> Yes, even after adding these options it produces the same result.

The result above means you have disabled TLSv1.1 and TLSv1.0 - which was your
objective IIUC.


>
> I am confused what is the problem.
> Let me know if there is any other way to disable TLSv1.0 and TLS1.1

It sounds like you already did it.

Matt

Reply | Threaded
Open this post in threaded view
|

RE: How to disable tls 1.0 and tls 1.1

Chethan Kumar
Thank to both Hubert Kario and Matt Caswell for your valuable information.
This group has helped a lot in gaining many insights on openssl  for newbie like me.

I was wrong with my understanding.
But i executed below command to communicate with TLS1.2 when only TLS1.0 and 1.1 was disabled,
Even it got failed to execute by saying "unknown option -tls1_2".
Any reason for that.?

Thanks in advance,
Chethan Kumar

-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of Matt Caswell
Sent: Friday, April 12, 2019 7:28 PM
To: [hidden email]
Subject: Re: How to disable tls 1.0 and tls 1.1



On 12/04/2019 14:37, Chethan Kumar wrote:
>> Please note that curl developers have recently changed the meaning of those options, please check if they do what you expect them to do by inspecting the curl man page.
> Thanks for the information. I understood it.
> I also used openssl s_client to communicate with server using below command.
> openssl s_client -connect 172.28.80.66:8080 -tls1_1 It says " unknown
> option -tls1_1"
> Same for -tls1.

If s_client doesn't recognise the -tls1_1 and -tls1 options then this mean that
TLSv1.1 and TLSv1.0 have been disabled.

>
> And even if I disable TLSv1.2 and execute openssl s_client -connect
> 172.28.80.66:8080 -no_tls1_2
> WARNING: can't open config file: /usr/local/ebx/ssl/openssl.cnf
> CONNECTED(00000003)
> 2001716872:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

So you attempt a connection and ask s_client to disable TLSv1.2 at runtime.
You've already asked it to disable TLSv1.1 and TLSv1.0 at compile time. Since
SSLv3 is also compiled out by default there are no protocol versions left so the expected result will be a handshake failure - which is exactly what you've got.

>> what you mean by "used them in Makefile", I'm talking about configure
>> script
> I added these options in Makefile like, CONFOPTS += linux-ppc
> -DOPENSSL_NO_SSL3 -DOPENSSL_NO_SSL2 -DSSL_OP_NO_SSLv2 no-tls1
> no-tls1_1 no-tls1-method no-tls1_1-method

*Don't edit the Makefile*. You only need to pass options to Configure.

>
>> do adding `no-tls1-method` and `no-tls1_1-method` produce the expected result?
> Yes, even after adding these options it produces the same result.

The result above means you have disabled TLSv1.1 and TLSv1.0 - which was your objective IIUC.


>
> I am confused what is the problem.
> Let me know if there is any other way to disable TLSv1.0 and TLS1.1

It sounds like you already did it.

Matt

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.
Reply | Threaded
Open this post in threaded view
|

Re: How to disable tls 1.0 and tls 1.1

Matt Caswell-2


On 12/04/2019 15:50, Chethan Kumar wrote:
> Thank to both Hubert Kario and Matt Caswell for your valuable information.
> This group has helped a lot in gaining many insights on openssl  for newbie like me.
>
> I was wrong with my understanding.
> But i executed below command to communicate with TLS1.2 when only TLS1.0 and 1.1 was disabled,
> Even it got failed to execute by saying "unknown option -tls1_2".
> Any reason for that.?

Ah! My apologies - I've just now realised that you are using OpenSSL 1.0.2 (and
going back to your original post I see that you did actually say that). Sorry
for misleading you.

OpenSSL 1.0.2 works differently to later versions in this regards and quite
inconsistently. You can disable SSLv2 and SSLv3 at compile time (SSLv2 is
disabled by default) using the no-ssl2 and no-ssl3 options.

If you want to disable TLSv1.0 and TLSv1.1 then you should do so at run time.
Use the SSL_OP_NO_TLSv1 and SSL_OP_NO_TLSv1_1 options to the
SSL_CTX_set_options() or SSL_set_options() functions.

Matt

>
> Thanks in advance,
> Chethan Kumar
>
> -----Original Message-----
> From: openssl-users [mailto:[hidden email]] On Behalf Of Matt Caswell
> Sent: Friday, April 12, 2019 7:28 PM
> To: [hidden email]
> Subject: Re: How to disable tls 1.0 and tls 1.1
>
>
>
> On 12/04/2019 14:37, Chethan Kumar wrote:
>>> Please note that curl developers have recently changed the meaning of those options, please check if they do what you expect them to do by inspecting the curl man page.
>> Thanks for the information. I understood it.
>> I also used openssl s_client to communicate with server using below command.
>> openssl s_client -connect 172.28.80.66:8080 -tls1_1 It says " unknown
>> option -tls1_1"
>> Same for -tls1.
>
> If s_client doesn't recognise the -tls1_1 and -tls1 options then this mean that
> TLSv1.1 and TLSv1.0 have been disabled.
>
>>
>> And even if I disable TLSv1.2 and execute openssl s_client -connect
>> 172.28.80.66:8080 -no_tls1_2
>> WARNING: can't open config file: /usr/local/ebx/ssl/openssl.cnf
>> CONNECTED(00000003)
>> 2001716872:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
>
> So you attempt a connection and ask s_client to disable TLSv1.2 at runtime.
> You've already asked it to disable TLSv1.1 and TLSv1.0 at compile time. Since
> SSLv3 is also compiled out by default there are no protocol versions left so the expected result will be a handshake failure - which is exactly what you've got.
>
>>> what you mean by "used them in Makefile", I'm talking about configure
>>> script
>> I added these options in Makefile like, CONFOPTS += linux-ppc
>> -DOPENSSL_NO_SSL3 -DOPENSSL_NO_SSL2 -DSSL_OP_NO_SSLv2 no-tls1
>> no-tls1_1 no-tls1-method no-tls1_1-method
>
> *Don't edit the Makefile*. You only need to pass options to Configure.
>
>>
>>> do adding `no-tls1-method` and `no-tls1_1-method` produce the expected result?
>> Yes, even after adding these options it produces the same result.
>
> The result above means you have disabled TLSv1.1 and TLSv1.0 - which was your objective IIUC.
>
>
>>
>> I am confused what is the problem.
>> Let me know if there is any other way to disable TLSv1.0 and TLS1.1
>
> It sounds like you already did it.
>
> Matt
>
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the
> recipient and may contain privileged information.
> If you are not the intended recipient, please notify the
> sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose,
> copy or otherwise use the information contained in the
> message or any annexure. Any views expressed in this e-mail
> are those of the individual sender except where the sender
> specifically states them to be the views of
> Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
>
> Although this transmission and any attachments are believed to be
> free of any virus or other defect that might affect any computer
> system into which it is received and opened, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility
> is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.
>
Reply | Threaded
Open this post in threaded view
|

RE: How to disable tls 1.0 and tls 1.1

Chethan Kumar
>>If you want to disable TLSv1.0 and TLSv1.1 then you should do so at run time.
>>Use the SSL_OP_NO_TLSv1 and SSL_OP_NO_TLSv1_1 options to the
>>SSL_CTX_set_options() or SSL_set_options() functions.
Since we have many applications using openssl services, it is difficult to implement this in all applications.

I need to find a single point in openssl source code[If not in Makefile] to disable TLSv1.0 and TLS1.1 for both server and client communications.

Thanks in advance,
Chethan

-----Original Message-----
From: Matt Caswell [mailto:[hidden email]]
Sent: Friday, April 12, 2019 9:21 PM
To: Chethan Kumar <[hidden email]>; [hidden email]
Subject: Re: How to disable tls 1.0 and tls 1.1



On 12/04/2019 15:50, Chethan Kumar wrote:
> Thank to both Hubert Kario and Matt Caswell for your valuable information.
> This group has helped a lot in gaining many insights on openssl  for newbie like me.
>
> I was wrong with my understanding.
> But i executed below command to communicate with TLS1.2 when only
> TLS1.0 and 1.1 was disabled, Even it got failed to execute by saying "unknown option -tls1_2".
> Any reason for that.?

Ah! My apologies - I've just now realised that you are using OpenSSL 1.0.2 (and going back to your original post I see that you did actually say that). Sorry for misleading you.

OpenSSL 1.0.2 works differently to later versions in this regards and quite inconsistently. You can disable SSLv2 and SSLv3 at compile time (SSLv2 is disabled by default) using the no-ssl2 and no-ssl3 options.

If you want to disable TLSv1.0 and TLSv1.1 then you should do so at run time.
Use the SSL_OP_NO_TLSv1 and SSL_OP_NO_TLSv1_1 options to the
SSL_CTX_set_options() or SSL_set_options() functions.

Matt

>
> Thanks in advance,
> Chethan Kumar
>
> -----Original Message-----
> From: openssl-users [mailto:[hidden email]] On
> Behalf Of Matt Caswell
> Sent: Friday, April 12, 2019 7:28 PM
> To: [hidden email]
> Subject: Re: How to disable tls 1.0 and tls 1.1
>
>
>
> On 12/04/2019 14:37, Chethan Kumar wrote:
>>> Please note that curl developers have recently changed the meaning of those options, please check if they do what you expect them to do by inspecting the curl man page.
>> Thanks for the information. I understood it.
>> I also used openssl s_client to communicate with server using below command.
>> openssl s_client -connect 172.28.80.66:8080 -tls1_1 It says " unknown
>> option -tls1_1"
>> Same for -tls1.
>
> If s_client doesn't recognise the -tls1_1 and -tls1 options then this
> mean that
> TLSv1.1 and TLSv1.0 have been disabled.
>
>>
>> And even if I disable TLSv1.2 and execute openssl s_client -connect
>> 172.28.80.66:8080 -no_tls1_2
>> WARNING: can't open config file: /usr/local/ebx/ssl/openssl.cnf
>> CONNECTED(00000003)
>> 2001716872:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
>
> So you attempt a connection and ask s_client to disable TLSv1.2 at runtime.
> You've already asked it to disable TLSv1.1 and TLSv1.0 at compile
> time. Since
> SSLv3 is also compiled out by default there are no protocol versions left so the expected result will be a handshake failure - which is exactly what you've got.
>
>>> what you mean by "used them in Makefile", I'm talking about
>>> configure script
>> I added these options in Makefile like, CONFOPTS += linux-ppc
>> -DOPENSSL_NO_SSL3 -DOPENSSL_NO_SSL2 -DSSL_OP_NO_SSLv2 no-tls1
>> no-tls1_1 no-tls1-method no-tls1_1-method
>
> *Don't edit the Makefile*. You only need to pass options to Configure.
>
>>
>>> do adding `no-tls1-method` and `no-tls1_1-method` produce the expected result?
>> Yes, even after adding these options it produces the same result.
>
> The result above means you have disabled TLSv1.1 and TLSv1.0 - which was your objective IIUC.
>
>
>>
>> I am confused what is the problem.
>> Let me know if there is any other way to disable TLSv1.0 and TLS1.1
>
> It sounds like you already did it.
>
> Matt
>
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the recipient and
> may contain privileged information.
> If you are not the intended recipient, please notify the sender and
> delete the message along with any attachments/annexure/appendices. You
> should not disclose, copy or otherwise use the information contained
> in the message or any annexure. Any views expressed in this e-mail are
> those of the individual sender except where the sender specifically
> states them to be the views of Toshiba Software India Pvt. Ltd.
> (TSIP),Bangalore.
>
> Although this transmission and any attachments are believed to be free
> of any virus or other defect that might affect any computer system
> into which it is received and opened, it is the responsibility of the
> recipient to ensure that it is virus free and no responsibility is
> accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.
>
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.