Removing Extensions from Client Hello Header
Benjamin Kaduk
bkaduk at akamai.com
Mon Nov 11 19:43:40 UTC 2019
On Mon, Nov 11, 2019 at 12:32:22PM -0700, Phil Neumiller wrote:
> I am speaking TLS 1.3 with openssl to a hardware device that I can't change.
> I need the client hello header to only support certain extensions, yet I
> see no way in the SSL API to remove the default extensions in the TLS 1.3
> client hello. Can I clear them all and just add the ones I want? What am I
> missing? Do I have to modify the SSL code to do this? It seems like there
> should be an orthodox way to do this.
You have to disable them one by one; see SSL_CTX_set_options(3) and (e.g.)
SSL_OP_NO_EXTENDED_MASTER_SECRET.
-Ben
More information about the openssl-users
mailing list