Doubt regarding ssl options

Jan Just Keijser janjust at nikhef.nl
Mon Jan 31 10:50:50 UTC 2022 

Hi,

On 31/01/22 10:27, Srinivas, Saketh (c) wrote:
> Hi,
>
> what is the difference between  SSL_CTX_set_min_proto_version 
> and SSL_set_min_proto_version.
> How will they effect the SSL handsahke.
>
> I can see two versions numbers in the PCAP files,
>
>  1. content type is handshake , version v1.0
>  2. handshake type client hello, version v1.2
>
> what is the difference and how to modify them.
>
>

The effect of SSL_CTX_set_min_proto_version and 
SSL_set_min_proto_version is exactly the same - it sets the minimum 
TLS/SSL proto version to be used during the client/server handshake 
(exchange of "hello" messages).

The TLS/SSL version mentioned during "content type = handshake" is known 
as the record layer version number. If you read the TLS 1.2 spec 
(https://datatracker.ietf.org/doc/html/rfc5246) you will find
" Earlier versions of the TLS specification were not fully clear on
    what the record layer version number (TLSPlaintext.version) should
    contain when sending ClientHello (i.e., before it is known which
    version of the protocol will be employed).  Thus, TLS servers
    compliant with this specification MUST accept any value {03,XX} as
    the record layer version number for ClientHello.
"

Check out this snippet of code (line numbers are from openssl 1.1.1k, 
file "ssl/record/rec_layer_s3.c"):

  849         /*
  850          * Some servers hang if initial client hello is larger 
than 256 bytes
  851          * and record version number > TLS 1.0
  852          */
  853         if (SSL_get_state(s) == TLS_ST_CW_CLNT_HELLO
  854                 && !s->renegotiate
  855                 && TLS1_get_version(s) > TLS1_VERSION
  856                 && s->hello_retry_request == SSL_HRR_NONE)
  857             version = TLS1_VERSION;
  858         SSL3_RECORD_set_rec_version(thiswr, version);

which shows that OpenSSL explicitly sets the *record* version number to 
TLS 1.0 ; one could argue whether such buggy servers still exist and 
whether there should be an option to overrule the above behaviour.

Thus, this is not affected by any calls to SSL_CTX_set_min_proto_version 
or SSL_set_min_proto_version.
However, the above is safe in terms of "it works with buggy servers" as 
well as safe in terms of "the connection *will* use tls 1.2+ if I call 
SSL_{ctx_}set_min_proto_version" so why change?

Hope this clarifies things,

JJK / Jan Just Keijser

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220131/16e285a6/attachment.htm>

More information about the openssl-users mailing list