Removing Extensions from Client Hello Header

Michael Wojcik Michael.Wojcik at microfocus.com
Mon Nov 11 22:12:38 UTC 2019


-----Original Message-----
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
> Phil Neumiller
> Sent: Monday, November 11, 2019 15:57
>
> Code: SSL_CTX_set_options(ctx, !SSL_OP_ALL);

That's just a verbose way of saying SSL_CTX_set_options(ctx, 0).

Perhaps you meant SSL_CTX_set_options(ctx, ~SSL_OP_ALL)? I certainly wouldn't recommend that - it would enable a host of options which aren't included in SSL_OP_ALL, and which you very likely shouldn't be enabling. (And also some you perhaps should, such as SSL_OP_SINGLE_ECDH_USE, though I don't remember offhand if that affects TLSv1.3.)

SSL_OP_ALL is defined as "various bug workarounds that should be rather harmless". I don't believe its use is appropriate here.

As with any implementation of any protocol, there are limits to OpenSSL's ability to deal with noncompliant peers. This may be a case where you have to customize your OpenSSL build in order to get it to connect to your apparently-non-compliant server.

--
Michael Wojcik
Distinguished Engineer, Micro Focus





More information about the openssl-users mailing list