[openssl-users] Query on API availability for openssl versions

Grace Priscilla Jero grace.priscilla at gmail.com
Tue Oct 17 09:01:37 UTC 2017


Thank you Matt for the quick response.
For "2," does it mean that every cipher suite can operate in multiple
levels?
I thought that there were specific set of cipher suites operating in each
of the levels.

Thanks,
Grace

On Tue, Oct 17, 2017 at 2:25 PM, Matt Caswell <matt at openssl.org> wrote:

>
>
> On 17/10/17 09:21, Grace Priscilla Jero wrote:
> > Hi All,
> >
> > 1)
> > The below APIs used to set the maximum and minimum versions are
> > available in 1.1.0f version of OPENSSL.
> >
> >  int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
> >  int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
> >  int SSL_set_min_proto_version(SSL *ssl, int version);
> >  int SSL_set_max_proto_version(SSL *ssl, int version);
> >
> >  Do you have the same in any of the 1.0.2x threads or plan to have it in
> > any later versions. We don't see it available in 1.0.2k or 1.0.2l
> > versions. Kindly update us on the same.
>
> These APIs were first introduced into 1.1.0, and we intend to continue
> to support them moving forward in future versions. However they will not
> be backported to the 1.0.2 branch. We do not add new features to a
> stable branch.
>
> In 1.0.2 you must use the options SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1,
> SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 via the SSL_CTX_set_options() or
> SSL_set_options() functions.
>
>
> >
> > 2)
> > There are a set of APIs to set/get security level wherein each level
> > supports a set of cipher suites. Is there something available in OPENSSL
> > wherein I can get the level and set it when I provide a cipher suite.
> > We have a case where we give the user a provision to provide his own
> > list of cipher suites and we need to set the appropriate level in the
> > API so that we support it for the connections. Kindly provide your
> comments.
>
> You can set the security level via the cipher string using the special
> cipher string command "@SECLEVEL". For example to set all default
> ciphersuites at security level 2 or above you can use:
>
> "DEFAULT:@SECLEVEL=2"
>
> Matt
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171017/75d23efd/attachment-0001.html>


More information about the openssl-users mailing list