Quantcast

Query regarding upgrading TLS compatibility

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Query regarding upgrading TLS compatibility

Hegde, Harsha

Hi,

I have an query regarding TLS compatibility used in my application. Currently we are using TLS1.2 to connect to a third party sever. Is there any way to always use the highest TLS available version without modifying or recompiling the application code whenever there is any new version of TLS released.

 

 

Thanks & Regards

Harsha


______________________________________________________________________
Disclaimer: This email and any attachments are sent in strictest confidence
for the sole use of the addressee and may contain legally privileged,
confidential, and proprietary data. If you are not the intended recipient,
please advise the sender by replying promptly to this email and then delete
and destroy this email and any attachments without any further use, copying
or forwarding.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Query regarding upgrading TLS compatibility

OpenSSL - User mailing list
On 04/03/2017 04:42 AM, Hegde, Harsha wrote:

Hi,

I have an query regarding TLS compatibility used in my application. Currently we are using TLS1.2 to connect to a third party sever. Is there any way to always use the highest TLS available version without modifying or recompiling the application code whenever there is any new version of TLS released.



The closest you can come is to use TLS_method() (or the client- or server-specific version of it), which will prefer the highest version supported by the library, but also be able to use older versions if needed in order to interoperate with the peer.  It's not entirely clear whether your question was about restricting to specifically the highest version, to the exclusion of older versions.

-Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Query regarding upgrading TLS compatibility

Viktor Dukhovni

> On Apr 3, 2017, at 5:58 PM, Benjamin Kaduk via openssl-users <[hidden email]> wrote:
>
>> I have an query regarding TLS compatibility used in my application. Currently we are using TLS1.2 to connect to a third party sever. Is there any way to always use the highest TLS available version without modifying or recompiling the application code whenever there is any new version of TLS released.
>
> The closest you can come is to use TLS_method() (or the client- or server-specific version of it), which will prefer the highest version supported by the library, but also be able to use older versions if needed in order to interoperate with the peer.  It's not entirely clear whether your question was about restricting to specifically the highest version, to the exclusion of older versions.

I would phrase this more forcefully.  The correct way to do exactly what the
OP asked for is to use TLS_method() and friends with OpenSSL 1.1.0 or later,
or its OpenSSL 1.0.x equivalents SSLv23_method() and friends.

https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html
https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_new.html

TLS is downgrade-resistant, so there's no need to restrict to just
the most recent version.  Just disable all the obsolete versions that
have exposure to known attacks, currently SSLv2 and SSLv3.

Already with TLS 1.0 negotiation to the highest mutually supported
version should not be subject to downgrade attacks.  However, if
all the expected peers support TLS 1.2, one can also disable TLS 1.0
and TLS 1.1.

  https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html
  https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_options.html

--
        Viktor.



--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Query regarding upgrading TLS compatibility

Kyle Hamilton
In reply to this post by Hegde, Harsha

Every new version of TLS requires code to be written.  Sometimes it can be implemented in a binary compatible manner, and in those situations you can get the implementation of a new TLS version by simply replacing a DLL or equivalent dynamic library.  However, it's much more likely that the implementation requires non-binary-compatible changes, and your application will need to be recompiled against the new version of the library that supports the newest TLS version.

In other words, it is very unlikely that TLS 1.3 can be implemented in a binary-compatible manner.  It is best if you plan to recompile your application against the version of the library that implements TLS 1.3.

-Kyle H

On Mon, Apr 3, 2017 at 2:42 AM, Hegde, Harsha <[hidden email]> wrote:

Hi,

I have an query regarding TLS compatibility used in my application. Currently we are using TLS1.2 to connect to a third party sever. Is there any way to always use the highest TLS available version without modifying or recompiling the application code whenever there is any new version of TLS released.

 

 

Thanks & Regards

Harsha


______________________________________________________________________
Disclaimer: This email and any attachments are sent in strictest confidence
for the sole use of the addressee and may contain legally privileged,
confidential, and proprietary data. If you are not the intended recipient,
please advise the sender by replying promptly to this email and then delete
and destroy this email and any attachments without any further use, copying
or forwarding.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Query regarding upgrading TLS compatibility

Viktor Dukhovni

> On Apr 3, 2017, at 8:42 PM, Kyle Hamilton <[hidden email]> wrote:
>
>
> In other words, it is very unlikely that TLS 1.3 can be implemented
> in a binary-compatible manner.  It is best if you plan to recompile
> your application against the version of the library that implements
> TLS 1.3.

Unlikely or not, the OpenSSL 1.1.1 release will be binary compatible
with 1.1.0 and will support TLS 1.3.  There will be new features, but
for most appliations, the software and protocol upgrade is transparent.


--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Query regarding upgrading TLS compatibility

Kyle Hamilton
Awesome, I sit corrected in this case. :)

In any case, though, it's generally best to plan to recompile.  (Who says that TLS 1.4 will be able to be implemented in a binary compatible manner?)  And even with this news, it is certainly a requirement that the original poster must plan to replace the dynamic library used by his application on the devices it is deployed on.

-Kyle H

On Mon, Apr 3, 2017 at 6:22 PM, Viktor Dukhovni <[hidden email]> wrote:

> On Apr 3, 2017, at 8:42 PM, Kyle Hamilton <[hidden email]> wrote:
>
>
> In other words, it is very unlikely that TLS 1.3 can be implemented
> in a binary-compatible manner.  It is best if you plan to recompile
> your application against the version of the library that implements
> TLS 1.3.

Unlikely or not, the OpenSSL 1.1.1 release will be binary compatible
with 1.1.0 and will support TLS 1.3.  There will be new features, but
for most appliations, the software and protocol upgrade is transparent.


--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...