[openssl-users] OPENSSL_VERSION_NUMBER and TLSv1_1 & TLSv1_2 supports

Tue Dec 8 17:16:25 UTC 2015

On 07/12/2015 11:52, zosrothko wrote:
> Hi Jacob
>
> Le 18/09/2015 19:34, Jakob Bohm a écrit :
>> On 18/09/2015 18:05, zosrothko wrote:
>>> Hi
>>>
>>> is there a way to know the supported TLS  protocols from the
>>> OPENSSL_VERSION_NUMBER (specifically, the TLSv1_1 and TLSv1_2?
>>>
>>> For exemple, I have a code that is using TLSv1_1_client_method &
>>> TLSv1_1_server_method for a OPENSSL_VERSION_NUMBER = 0x1000201fL, but
>>> I need to protect those TLSv1_1 and TLSv1_2 entry points references
>>> when my code is ported toward a previous version of OpenSSL that does
>>> not support those TLS versions as the 1.0.0k version .
>>>
>>> Since there is no OPEN_SSL_NO_TLSv1_1 constant nor
>>> OPEN_SSL_NO_TLSv1_2 constant in the ssl.h(1.0.0k), I would like to
>>> use the OPENSSL_VERSION_NUMBER to protect the references.
>>>
>> The numeric value of OPENSSL_VERSION_NUMBER maps directly
>> to the textual version number ("1.0.0k"), a look in the
>> official changelogs for each branch (0.9.8, 1.0.0, 1.0.1,
>> 1.0.2, 1.1.0 etc.) to see at which comparison limits any given
>> feature was installed.
>>
>> Or, since you are using the version number of the header
>> files, not the version of the runtime shared library, you
>> can simply use ifdef tests for relevant defines existing,
>> e.g.
>>
>> #if defined(SSL_OP_NO_TLSv1_1) && !defined(OPENSSL_NO_TLS1)
>> /* SSL_OP_NO_TLSv1_1 is defined in ssl.h if the library version
>>  * supports TLSv1.1 .
>>  *
>>  * OPENSSL_NO_TLS1 is defined in opensslconf.h or on the
>>  * compiler command line if TLS1.x was removed at OpenSSL
>>  * library build time via Configure options.
>>  */
>> /* Code that requires headers from a TLSv1.1 capable OpenSSL
>>  * goes here.
>>  */
>> #endif
> I saw that in ssl.h, the 'NO' particule means no support of as for example
> /* Don't use RFC4507 ticket extension */
> # define SSL_OP_NO_TICKET                    0x00004000L
>
> What does mean the 'NO' in SSL_OP_NO_TLSv1_1? Should  not be the test
> reversed as below?
>

The define is for a flag that can be passed to some other SSL functions
to turn off the TLSv1_1 support during a single execution, hence the
"NO" in its name.

Because those flags are only defined in OpenSSL versions that include
the thing to turn off (at least if not disabled when compiling OpenSSL
itself), I suggested using the very existence of the flag definition
as a way to determine if the thing is included in the OpenSSL version
where the copy of "ssl.h" was taken from.

> #if !defined(SSL_OP_NO_TLSv1_1) && !defined(OPENSSL_NO_TLS1)

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded