backward compatibility for tls 1.2

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

backward compatibility for tls 1.2

Gayathri Manoj
Hi All,

I am planning to upgrade my tls connection from 1.0 to 1.2.  I have made changes from the client side and am able to see the client hello with tls version 1.2. The server supports only 1.0 and the client is not falling back to 1.0 and giving me a fatal that Protocol version alert.

Please let me know shall I need to add backward compatibility code separately. If yes then how can i do it. Could you please provide some example for the same.

Thanks,
Gayathri
Reply | Threaded
Open this post in threaded view
|

RE: backward compatibility for tls 1.2

Salz, Rich

Ø  I am planning to upgrade my tls connection from 1.0 to 1.2.  I have made changes from the client side and am able to see the client hello with tls version 1.2. The server supports only 1.0 and the client is not falling back to 1.0 and giving me a fatal that Protocol version alert.

 

You have to do it “by hand” – reconnect with the older protocol.  It’s not like cipher suites.

 

                /r$

 

-- 

Principal Security Engineer

Akamai Technologies, Cambridge, MA

IM: [hidden email]; Twitter: RichSalz

 

Reply | Threaded
Open this post in threaded view
|

Re : backward compatibility for tls 1.2

nicolas.kox
In reply to this post by Gayathri Manoj
hi

this code should do the the trick on client side (for the "server" side, just replace client by "server")


SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);


the SSLv23_client_method() method allows all protocols, then SSL_CTX_set_options is used to avoid unwanted ones

Nico


----- Mail d'origine -----
De: Gayathri Manoj <[hidden email]>
À: [hidden email]
Envoyé: Tue, 13 May 2014 12:45:52 +0200 (CEST)
Objet: backward compatibility for tls 1.2

Hi All,

I am planning to upgrade my tls connection from 1.0 to 1.2.  I have made
changes from the client side and am able to see the client hello with tls
version 1.2. The server supports only 1.0 and the client is not falling
back to 1.0 and giving me a fatal that Protocol version alert.

Please let me know shall I need to add backward compatibility code
separately. If yes then how can i do it. Could you please provide some
example for the same.

Thanks,
Gayathri

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: backward compatibility for tls 1.2

Jeffrey Walton-3
In reply to this post by Gayathri Manoj
On Tue, May 13, 2014 at 6:45 AM, Gayathri Manoj
<[hidden email]> wrote:

> Hi All,
>
> I am planning to upgrade my tls connection from 1.0 to 1.2.  I have made
> changes from the client side and am able to see the client hello with tls
> version 1.2. The server supports only 1.0 and the client is not falling back
> to 1.0 and giving me a fatal that Protocol version alert.
>
> Please let me know shall I need to add backward compatibility code
> separately. If yes then how can i do it. Could you please provide some
> example for the same.
I believe the code below will provide the correct record (TLS 1.0) and
handshake (TLS 1.2) protocol values. Essentially, its saying "TLS 1.0
or above". OpenSSL will do the right thing and chose the highest
protocol level available modulo cipher suite preferences in some
instances.

*****

init_openssl_library();

const SSL_METHOD* method = SSLv23_method();
SSL_CTX* ctx = SSL_CTX_new(method);

const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
SSL_CTX_set_options(ctx, flags);
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: backward compatibility for tls 1.2

michel-60
In reply to this post by Gayathri Manoj
Hi,

Here is a related previous discussion with some more details :
http://openssl.6102.n7.nabble.com/FW-Negotiating-TLS-1-0-from-1-2-td39516.html

Le 13/05/2014 12:45, Gayathri Manoj a écrit :

> Hi All,
>
> I am planning to upgrade my tls connection from 1.0 to 1.2.  I have
> made changes from the client side and am able to see the client hello
> with tls version 1.2. The server supports only 1.0 and the client is
> not falling back to 1.0 and giving me a fatal that Protocol version alert.
>
> Please let me know shall I need to add backward compatibility code
> separately. If yes then how can i do it. Could you please provide some
> example for the same.
>
> Thanks,
> Gayathri


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]