[openssl-users] Query on API availability for openssl versions

Matt Caswell matt at openssl.org
Tue Oct 17 08:55:21 UTC 2017



On 17/10/17 09:21, Grace Priscilla Jero wrote:
> Hi All,
> 
> 1)
> The below APIs used to set the maximum and minimum versions are
> available in 1.1.0f version of OPENSSL.
> 
>  int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
>  int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
>  int SSL_set_min_proto_version(SSL *ssl, int version);
>  int SSL_set_max_proto_version(SSL *ssl, int version);
> 
>  Do you have the same in any of the 1.0.2x threads or plan to have it in
> any later versions. We don't see it available in 1.0.2k or 1.0.2l
> versions. Kindly update us on the same.

These APIs were first introduced into 1.1.0, and we intend to continue
to support them moving forward in future versions. However they will not
be backported to the 1.0.2 branch. We do not add new features to a
stable branch.

In 1.0.2 you must use the options SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1,
SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 via the SSL_CTX_set_options() or
SSL_set_options() functions.


> 
> 2)
> There are a set of APIs to set/get security level wherein each level
> supports a set of cipher suites. Is there something available in OPENSSL
> wherein I can get the level and set it when I provide a cipher suite.
> We have a case where we give the user a provision to provide his own
> list of cipher suites and we need to set the appropriate level in the
> API so that we support it for the connections. Kindly provide your comments.

You can set the security level via the cipher string using the special
cipher string command "@SECLEVEL". For example to set all default
ciphersuites at security level 2 or above you can use:

"DEFAULT:@SECLEVEL=2"

Matt



More information about the openssl-users mailing list