TLS Version in Record Layer using OpenSSL 1.1.1

Viktor Dukhovni openssl-users at dukhovni.org
Sat Jun 3 01:16:07 UTC 2023


On Fri, Jun 02, 2023 at 11:22:18PM +0000, Michael Lee via openssl-users wrote:

> Regarding your remark from https://mta.openssl.org/pipermail/openssl-users/2020-October/013081.html
> Basically the record version is never greater than TLSv1.2. If we're in
> an initial ClientHello (not a renegotiation or an HRR) and the max
> version is > TLSv1.0 then the record version is fixed at TLSv1.0 for the
> ClientHello record.
> 
> Do you know if this "fixed at TLSv1.0" restriction is relaxed with OpenSSL 3?
> We have packets that are being blocked by firewall due to the TLS 1.0 signature.
> We desperately need to change the Record Layer version to TLS 1.2 somehow.

The behaviour has not changed.  Even OpenSSL 3.2-dev will use TLSv1 at
the record layer in an initial client hello,  and even with MinProtocol
set to TLSv1.2.

The problem is the firewall.  Your attention should be directed there.

-- 
    Viktor.


More information about the openssl-users mailing list