Query on API availability for openssl versions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Query on API availability for openssl versions

Grace Priscilla Jero
Hi All,

1)
The below APIs used to set the maximum and minimum versions are available in 1.1.0f version of OPENSSL.

 int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
 int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
 int SSL_set_min_proto_version(SSL *ssl, int version);
 int SSL_set_max_proto_version(SSL *ssl, int version);

 Do you have the same in any of the 1.0.2x threads or plan to have it in any later versions. We don't see it available in 1.0.2k or 1.0.2l versions. Kindly update us on the same.

2)
There are a set of APIs to set/get security level wherein each level supports a set of cipher suites. Is there something available in OPENSSL wherein I can get the level and set it when I provide a cipher suite.
We have a case where we give the user a provision to provide his own list of cipher suites and we need to set the appropriate level in the API so that we support it for the connections. Kindly provide your comments.

Thanks,
Grace

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Query on API availability for openssl versions

Matt Caswell-2


On 17/10/17 09:21, Grace Priscilla Jero wrote:

> Hi All,
>
> 1)
> The below APIs used to set the maximum and minimum versions are
> available in 1.1.0f version of OPENSSL.
>
>  int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
>  int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
>  int SSL_set_min_proto_version(SSL *ssl, int version);
>  int SSL_set_max_proto_version(SSL *ssl, int version);
>
>  Do you have the same in any of the 1.0.2x threads or plan to have it in
> any later versions. We don't see it available in 1.0.2k or 1.0.2l
> versions. Kindly update us on the same.

These APIs were first introduced into 1.1.0, and we intend to continue
to support them moving forward in future versions. However they will not
be backported to the 1.0.2 branch. We do not add new features to a
stable branch.

In 1.0.2 you must use the options SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1,
SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 via the SSL_CTX_set_options() or
SSL_set_options() functions.


>
> 2)
> There are a set of APIs to set/get security level wherein each level
> supports a set of cipher suites. Is there something available in OPENSSL
> wherein I can get the level and set it when I provide a cipher suite.
> We have a case where we give the user a provision to provide his own
> list of cipher suites and we need to set the appropriate level in the
> API so that we support it for the connections. Kindly provide your comments.

You can set the security level via the cipher string using the special
cipher string command "@SECLEVEL". For example to set all default
ciphersuites at security level 2 or above you can use:

"DEFAULT:@SECLEVEL=2"

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Query on API availability for openssl versions

Grace Priscilla Jero
Thank you Matt for the quick response.
For "2," does it mean that every cipher suite can operate in multiple levels? 
I thought that there were specific set of cipher suites operating in each of the levels. 

Thanks,
Grace

On Tue, Oct 17, 2017 at 2:25 PM, Matt Caswell <[hidden email]> wrote:


On 17/10/17 09:21, Grace Priscilla Jero wrote:
> Hi All,
>
> 1)
> The below APIs used to set the maximum and minimum versions are
> available in 1.1.0f version of OPENSSL.
>
>  int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
>  int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
>  int SSL_set_min_proto_version(SSL *ssl, int version);
>  int SSL_set_max_proto_version(SSL *ssl, int version);
>
>  Do you have the same in any of the 1.0.2x threads or plan to have it in
> any later versions. We don't see it available in 1.0.2k or 1.0.2l
> versions. Kindly update us on the same.

These APIs were first introduced into 1.1.0, and we intend to continue
to support them moving forward in future versions. However they will not
be backported to the 1.0.2 branch. We do not add new features to a
stable branch.

In 1.0.2 you must use the options SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1,
SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 via the SSL_CTX_set_options() or
SSL_set_options() functions.


>
> 2)
> There are a set of APIs to set/get security level wherein each level
> supports a set of cipher suites. Is there something available in OPENSSL
> wherein I can get the level and set it when I provide a cipher suite.
> We have a case where we give the user a provision to provide his own
> list of cipher suites and we need to set the appropriate level in the
> API so that we support it for the connections. Kindly provide your comments.

You can set the security level via the cipher string using the special
cipher string command "@SECLEVEL". For example to set all default
ciphersuites at security level 2 or above you can use:

"DEFAULT:@SECLEVEL=2"

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Query on API availability for openssl versions

Jakob Bohm-7
The security levels are simply a classification of the cipher
suites by quality.  Typically one would select all ciphers above
a certain level.

Most cipher suites work with all protocol levels >= a certain
level, with SSL2 (dead) and TLS1.3 (future) being exceptions.
Selecting something like "TLS1.1" in the cipher suite list simply
selects those cipher suites that were new in TLS1.1, it does not
actually select the TLS1.1 protocol.

On 17/10/2017 11:01, Grace Priscilla Jero wrote:

> Thank you Matt for the quick response.
> For "2," does it mean that every cipher suite can operate in multiple
> levels?
> I thought that there were specific set of cipher suites operating in
> each of the levels.
>
> Thanks,
> Grace
>
> On Tue, Oct 17, 2017 at 2:25 PM, Matt Caswell <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>
>     On 17/10/17 09:21, Grace Priscilla Jero wrote:
>     > Hi All,
>     >
>     > 1)
>     > The below APIs used to set the maximum and minimum versions are
>     > available in 1.1.0f version of OPENSSL.
>     >
>     >  int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
>     >  int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
>     >  int SSL_set_min_proto_version(SSL *ssl, int version);
>     >  int SSL_set_max_proto_version(SSL *ssl, int version);
>     >
>     >  Do you have the same in any of the 1.0.2x threads or plan to
>     have it in
>     > any later versions. We don't see it available in 1.0.2k or 1.0.2l
>     > versions. Kindly update us on the same.
>
>     These APIs were first introduced into 1.1.0, and we intend to continue
>     to support them moving forward in future versions. However they
>     will not
>     be backported to the 1.0.2 branch. We do not add new features to a
>     stable branch.
>
>     In 1.0.2 you must use the options SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1,
>     SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 via the
>     SSL_CTX_set_options() or
>     SSL_set_options() functions.
>
>
>     >
>     > 2)
>     > There are a set of APIs to set/get security level wherein each level
>     > supports a set of cipher suites. Is there something available in
>     OPENSSL
>     > wherein I can get the level and set it when I provide a cipher
>     suite.
>     > We have a case where we give the user a provision to provide his own
>     > list of cipher suites and we need to set the appropriate level
>     in the
>     > API so that we support it for the connections. Kindly provide
>     your comments.
>
>     You can set the security level via the cipher string using the special
>     cipher string command "@SECLEVEL". For example to set all default
>     ciphersuites at security level 2 or above you can use:
>
>     "DEFAULT:@SECLEVEL=2"
>

--
Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10
<tel:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Query on API availability for openssl versions

Matt Caswell-2
In reply to this post by Grace Priscilla Jero


On 17/10/17 10:01, Grace Priscilla Jero wrote:
> Thank you Matt for the quick response.
> For "2," does it mean that every cipher suite can operate in multiple
> levels? 
> I thought that there were specific set of cipher suites operating in
> each of the levels.

Not quite. The security levels look at the amount of security you can
expect from all the algorithms in a ciphersuite.

I dug out this description I had in a document (not checked to see if
this is completely current (it was written a couple of years ago while
1.1.0 was still in development), but you get the idea):

• Level 0: No restrictions
• Level 1: 80 bits of security. Encryption algorithms with less than 80
security bits will be excluded, as will RSA, DSA and DH keys shorter
than 1024 bits and ECC keys less than 160 bits in length. Also
prohibited is any ciphersuite based on MD5 for its MAC.
• Level 2: 112 bits of security. Encryption algorithms with less than
112 security bits will be excluded, as will RSA, DSA and DH keys shorter
than 2048 bits and ECC keys less than 224 bits in length. Additionally
MD5 based MACs, SSLv3 and compression are prohibited.
• Level 3: 128 bits of security. Encryption algorithms with less than
128 security bits will be excluded, as will RSA, DSA and DH keys shorter
than 3072 bits and ECC keys less than 256 bits in length. Additionally
MD5, SSLv3, TLSv1.0, compression and session tickets are prohibited.
• Level 4: 192 bits of security. Encryption algorithms with less than
192 security bits will be excluded, as will RSA, DSA and DH keys shorter
than 7680 bits and ECC keys less than 384 bits in length. Additionally
MD5 or SHA1 based MACs, SSLv3, TLSv1.0, TLSv1.1, compression and session
tickets are prohibited.
• Level 5: 256 bits of security. Encryption algorithms with less than
256 security bits will be excluded, as will RSA, DSA and DH keys shorter
than 15360 bits and ECC keys less than 512 bits in length. Additionally
MD5 or SHA1 based MACs, SSLv3, TLSv1.0, TLSv1.1, compression and
session tickets are prohibited.

This may mean that an individual ciphersuite is excluded completely by a
security level, or it might mean it just has restrictions on the key
lengths that are acceptable to use with it.

Matt


>
> Thanks,
> Grace
>
> On Tue, Oct 17, 2017 at 2:25 PM, Matt Caswell <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>
>     On 17/10/17 09:21, Grace Priscilla Jero wrote:
>     > Hi All,
>     >
>     > 1)
>     > The below APIs used to set the maximum and minimum versions are
>     > available in 1.1.0f version of OPENSSL.
>     >
>     >  int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
>     >  int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
>     >  int SSL_set_min_proto_version(SSL *ssl, int version);
>     >  int SSL_set_max_proto_version(SSL *ssl, int version);
>     >
>     >  Do you have the same in any of the 1.0.2x threads or plan to have it in
>     > any later versions. We don't see it available in 1.0.2k or 1.0.2l
>     > versions. Kindly update us on the same.
>
>     These APIs were first introduced into 1.1.0, and we intend to continue
>     to support them moving forward in future versions. However they will not
>     be backported to the 1.0.2 branch. We do not add new features to a
>     stable branch.
>
>     In 1.0.2 you must use the options SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1,
>     SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 via the SSL_CTX_set_options() or
>     SSL_set_options() functions.
>
>
>     >
>     > 2)
>     > There are a set of APIs to set/get security level wherein each level
>     > supports a set of cipher suites. Is there something available in OPENSSL
>     > wherein I can get the level and set it when I provide a cipher suite.
>     > We have a case where we give the user a provision to provide his own
>     > list of cipher suites and we need to set the appropriate level in the
>     > API so that we support it for the connections. Kindly provide your comments.
>
>     You can set the security level via the cipher string using the special
>     cipher string command "@SECLEVEL". For example to set all default
>     ciphersuites at security level 2 or above you can use:
>
>     "DEFAULT:@SECLEVEL=2"
>
>     Matt
>
>     --
>     openssl-users mailing list
>     To unsubscribe:
>     https://mta.openssl.org/mailman/listinfo/openssl-users
>     <https://mta.openssl.org/mailman/listinfo/openssl-users>
>
>
>
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users