Using SSL_CTX_set_min_proto_version

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Using SSL_CTX_set_min_proto_version

OpenSSL - User mailing list
Hello,

 In our client application we are trying to set TLS 1.2 in ClientHello message. The OpenSSL version is 1.1.1h

We use the function

SSL_CTX_set_min_proto_version(ssl->ctx, TLS1_2_VERSION);
If I test the version right after setting it does return 1.2
SSL_CTX_get_proto_version(ssl->ctx) == TLS1_2_VERSION

But the ClientHello is still created with TLS 1.0
(16 03 01 01 42…)

Any explanation why the ClientHello message ignores min TLS version?
Any suggestion how to enforce 1.2 version?

Thanks,
Tamara



Reply | Threaded
Open this post in threaded view
|

Re: Using SSL_CTX_set_min_proto_version

Matt Caswell-2


On 06/04/2021 18:45, Tamara Kogan via openssl-users wrote:

> Hello,
>
>   In our client application we are trying to set TLS 1.2 in ClientHello
> message. The OpenSSL version is 1.1.1h
>
> We use the function
>
> SSL_CTX_set_min_proto_version(ssl->ctx, TLS1_2_VERSION);
> If I test the version right after setting it does return 1.2
> SSL_CTX_get_proto_version(ssl->ctx) == TLS1_2_VERSION
>
> But the ClientHello is still created with TLS 1.0
> (16 03 01 01 42…)
>
> Any explanation why the ClientHello message ignores min TLS version?
> Any suggestion how to enforce 1.2 version?

You are looking at the *record layer* TLS version. This is always 1.0 in
the ClientHello, regardless of what TLS protocol version is actually
being requested. TLS protocol version fields are a bit of a minefield of
confusion and unexpected behaviour. For example in an OpenSSL TLSv1.3
ClientHello the record layer protocol version will be set to TLSv1.0,
the ClientHello message itself will have the protocol version set to
TLSv1.2, and the supported versions extension will list the actual
supported versions (i.e. in your case it would be  TLSv1.3 and TLSv1.2).

Matt

Reply | Threaded
Open this post in threaded view
|

Re: Using SSL_CTX_set_min_proto_version

OpenSSL - User mailing list
In reply to this post by OpenSSL - User mailing list

From: Matt Caswell <[hidden email]>
Subject: Re: Using SSL_CTX_set_min_proto_version
Date: April 6, 2021 at 2:13:02 PM EDT


On 06/04/2021 18:45, Tamara Kogan via openssl-users wrote:
Hello,
 In our client application we are trying to set TLS 1.2 in ClientHello message. The OpenSSL version is 1.1.1h
We use the function
SSL_CTX_set_min_proto_version(ssl->ctx, TLS1_2_VERSION);
If I test the version right after setting it does return 1.2
SSL_CTX_get_proto_version(ssl->ctx) == TLS1_2_VERSION
But the ClientHello is still created with TLS 1.0
(16 03 01 01 42…)
Any explanation why the ClientHello message ignores min TLS version?
Any suggestion how to enforce 1.2 version?

You are looking at the *record layer* TLS version. This is always 1.0 in the ClientHello, regardless of what TLS protocol version is actually being requested. TLS protocol version fields are a bit of a minefield of confusion and unexpected behaviour. For example in an OpenSSL TLSv1.3 ClientHello the record layer protocol version will be set to TLSv1.0, the ClientHello message itself will have the protocol version set to TLSv1.2, and the supported versions extension will list the actual supported versions (i.e. in your case it would be  TLSv1.3 and TLSv1.2).

Matt


I have not found any confirmation in TLS specs that the “record layer” version must be 1.0.
Our client failed to connect to a mail server when the server changed settings and limited  TLS versions to  1.2 only. The server parsed the first three bytes of ClientHello, detected 1.0 version and closed the connection. Then it was a half of a day debugging OpenSSL in attempt to understand why SSL_CTX_set_min_proto_version doesn’t make any difference.
Now the server was updated and it still doesn’t accept ClientHello with 1.0 but at least the server sends “ChangeCipherSpec Message” message and the client resends ClientHello with 1.2.
As a result in order to be connected the client has an extra message exchange.
From my point of view the “Record Layer” ProtocolVersion has to be settable.
Tamara





Reply | Threaded
Open this post in threaded view
|

Re: Using SSL_CTX_set_min_proto_version

Matt Caswell-2


On 07/04/2021 15:22, Tamara Kogan via openssl-users wrote:
> I have not found any confirmation in TLS specs that the “record layer”
> version must be 1.0.

I did not mean to imply that the specs say that the record layer version
*must* be 1.0. Only that that is what OpenSSL *does*.

In fact the earlier versions of the SSL/TLS specs were quite ambiguous
and unclear on this matter. It is partly for this reason and partly
because of a proliferation a buggy server implementations that TLS
version negotiation became the mess that it is today.

The current OpenSSL behaviour was chosen as a result of trying to go
with the behaviour that gives the maximum interoperability whilst being
entirely consistent with the specs.

The TLSv1.2 RFC was more explicit about what is allowed for the record
layer version in the ClientHello message that the earlier versions:

   "TLS clients that wish to negotiate with older servers MAY send any
    value {03,XX} as the record layer version number.  Typical values
    would be {03,00}, the lowest version number supported by the client,
    and the value of ClientHello.client_version.  No single value will
    guarantee interoperability with all old servers, but this is a
    complex topic beyond the scope of this document."


TLSv1.3 says something different about it:

    "legacy_record_version:  MUST be set to 0x0303 for all records
     generated by a TLS 1.3 implementation other than an initial
     ClientHello (i.e., one not generated after a HelloRetryRequest),
     where it MAY also be 0x0301 for compatibility purposes.  This
     field is deprecated and MUST be ignored for all purposes.
     Previous versions of TLS would use other values in this field
     under some circumstances."


> Our client failed to connect to a mail server when the server changed
> settings and limited  TLS versions to  1.2 only. The server parsed the
> first three bytes of ClientHello, detected 1.0 version and closed the
> connection.

Then, IMO, this server is buggy and not consistent with the TLSv1.2 spec.

Matt