How to limit advertised maximum ssl version in ssl23 client helo

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How to limit advertised maximum ssl version in ssl23 client helo

Joseph Southwell
So I have a server I connect to that replies “insufficient security” when I connect with an ssl23 client helo from openssl 1.0.2. However when I connect with any of ssl3-tls1.1 client helo it works. It doesn’t work if I try to connect with a tls1.2 client helo. I am trying to narrow down the problem so I would like to send an ssl23 client helo that only advertises up to 1.1. Any idea how to do just that?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to limit advertised maximum ssl version in ssl23 client helo

Viktor Dukhovni


> On Nov 30, 2017, at 9:22 AM, Joseph Southwell <[hidden email]> wrote:
>
> So I have a server I connect to that replies “insufficient security” when I connect with an ssl23 client helo from openssl 1.0.2. However when I connect with any of ssl3-tls1.1 client helo it works. It doesn’t work if I try to connect with a tls1.2 client helo. I am trying to narrow down the problem so I would like to send an ssl23 client helo that only advertises up to 1.1. Any idea how to do just that?

OpenSSL 1.1.0 provides controls to explicitly set the maximum and/or
minimum SSL/TLS protocol version.  In OpenSSL 1.0.2, you can only
disable specific versions via SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3,
SSL_OP_NO_TLS1, SSL_OP_NO_TLSv1_1 or SSL_OP_NO_TLSv1_2, making sure
to not introduce "holes"!  After disabled protocols are removed the
remaining protocols *MUST* form a contiguous range with no gaps in
the middle.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users