Using SSL_CTX_set_min_proto_version
Matt Caswell
matt at openssl.org
Tue Apr 6 18:13:02 UTC 2021
On 06/04/2021 18:45, Tamara Kogan via openssl-users wrote:
> Hello,
>
> In our client application we are trying to set TLS 1.2 in ClientHello
> message. The OpenSSL version is 1.1.1h
>
> We use the function
>
> SSL_CTX_set_min_proto_version(ssl->ctx, TLS1_2_VERSION);
> If I test the version right after setting it does return 1.2
> SSL_CTX_get_proto_version(ssl->ctx) == TLS1_2_VERSION
>
> But the ClientHello is still created with TLS 1.0
> (16 03 01 01 42…)
>
> Any explanation why the ClientHello message ignores min TLS version?
> Any suggestion how to enforce 1.2 version?
You are looking at the *record layer* TLS version. This is always 1.0 in
the ClientHello, regardless of what TLS protocol version is actually
being requested. TLS protocol version fields are a bit of a minefield of
confusion and unexpected behaviour. For example in an OpenSSL TLSv1.3
ClientHello the record layer protocol version will be set to TLSv1.0,
the ClientHello message itself will have the protocol version set to
TLSv1.2, and the supported versions extension will list the actual
supported versions (i.e. in your case it would be TLSv1.3 and TLSv1.2).
Matt
More information about the openssl-users
mailing list