[openssl-users] Does openssl server always choose highest TLS version offered?

Fri Nov 6 21:37:01 UTC 2015

Thanks for the detailed explanation, that's very useful ... N

Nou Dadoun
Senior Firmware Developer, Security Specialist

Office: 604.629.5182 ext 2632 
Support: 888.281.5182  |  avigilon.com
Follow Twitter  |  Follow LinkedIn

This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide.

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Viktor Dukhovni
Sent: Friday, November 06, 2015 1:32 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Does openssl server always choose highest TLS version offered?

On Fri, Nov 06, 2015 at 08:59:58PM +0000, Nounou Dadoun wrote:

> Quick question, modifying context options on an openssl server 
> (disabling
> SSLv2 and SSLv3, enabling TLSv1 (for compatibility for now), TLSv1.1 
> and
> TLSv1.2) and I had a question about which version is chosen in 
> practice in a TLS connection.

On the server side, if at all possible, the selected protocol will be the highest one not disabled.

On the client side, it is more complicated, because the client can't propose a discrete list of protocols, rather it proposes a minimum and a maximum.

Therefore, with SSLv23_client_method() aka TLS_client_method() when you disable some set of protocols via:

    SSL_CTX_set_options(ctx, SSL_OP_NO_<...>)

lowest protocol that you *don't* disable becomes the minimum, and then the maximum is either one less than the first higher version that is disabled or else the maximum version supported.

Thus, for example, with;

    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1_1);

    The minimum is then SSL 3.0 and the maximum is TLS 1.0, thus
    this has the side-effect of disabling TLS 1.2 (and in the future
    also TLS 1.3).

> I've read that in general the client proposes the highest version it 
> supports and the server chooses a compatible version or rejects if 
> there isn't one.

The client proposes a range from lowest to highest.

> Rfc5246 basically says that the server will choose the highest version 
> but I wanted to confirm that that's what openssl does (just to be 
> certain).

OpenSSL may be unable to choose the highest version if none of the enabled ciphersuites are compatible with that version.  That should be rare, so in practice the server will choose the highest version proposed by the client and supported by the server.

> e.g.  if the client proposes TLSv1.2 and the server supports TLSv1.2, 
> will the server *ever* select TLSv1.1? thanks.

It could, if none of the shared ciphersuites were compatible with TLS 1.2.  However, TLS 1.2 essentially supports a superset of the ciphersuites of TLS 1.0 and TLS 1.1 so this condition is unlikely.

The exception is EXPORT ciphersuites which were removed from TLS 1.2, but until quite recently was still willing to negotiate them even with TLS 1.2.  So if a client offers some EXPORT ciphers and the server is configured to use only EXPORT ciphers, I'm not sure whether these versions of OpenSSL will abort the handshake, or will choose a lower protocol version.

-- 
	Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users