[openssl-users] Does openssl server always choose highest TLS version offered?

Viktor Dukhovni openssl-users at dukhovni.org
Fri Nov 6 21:32:27 UTC 2015

On Fri, Nov 06, 2015 at 08:59:58PM +0000, Nounou Dadoun wrote:

> Quick question, modifying context options on an openssl server (disabling
> SSLv2 and SSLv3, enabling TLSv1 (for compatibility for now), TLSv1.1 and
> TLSv1.2) and I had a question about which version is chosen in practice
> in a TLS connection.

On the server side, if at all possible, the selected protocol will
be the highest one not disabled.

On the client side, it is more complicated, because the client
can't propose a discrete list of protocols, rather it proposes a
minimum and a maximum.

Therefore, with SSLv23_client_method() aka TLS_client_method() when
you disable some set of protocols via:

    SSL_CTX_set_options(ctx, SSL_OP_NO_<...>)

lowest protocol that you *don't* disable becomes the minimum, and
then the maximum is either one less than the first higher version
that is disabled or else the maximum version supported.

Thus, for example, with;

    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1_1);

    The minimum is then SSL 3.0 and the maximum is TLS 1.0, thus
    this has the side-effect of disabling TLS 1.2 (and in the future
    also TLS 1.3).

> I've read that in general the client proposes the highest version it
> supports and the server chooses a compatible version or rejects if there
> isn't one.  

The client proposes a range from lowest to highest.

> Rfc5246 basically says that the server will choose the highest
> version but I wanted to confirm that that's what openssl does (just to be
> certain).

OpenSSL may be unable to choose the highest version if none of the
enabled ciphersuites are compatible with that version.  That should
be rare, so in practice the server will choose the highest version
proposed by the client and supported by the server.

> e.g.  if the client proposes TLSv1.2 and the server supports TLSv1.2, will
> the server *ever* select TLSv1.1? thanks.

It could, if none of the shared ciphersuites were compatible with
TLS 1.2.  However, TLS 1.2 essentially supports a superset of the
ciphersuites of TLS 1.0 and TLS 1.1 so this condition is unlikely.

The exception is EXPORT ciphersuites which were removed from TLS
1.2, but until quite recently was still willing to negotiate them
even with TLS 1.2.  So if a client offers some EXPORT ciphers and
the server is configured to use only EXPORT ciphers, I'm not sure
whether these versions of OpenSSL will abort the handshake, or will
choose a lower protocol version.


More information about the openssl-users mailing list