[openssl-users] Working around servers requiring SSL 2/3 record layer, and using TLS 1.2?

Viktor Dukhovni openssl-users at dukhovni.org
Thu Feb 11 02:54:39 UTC 2016


> On Feb 10, 2016, at 9:28 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> 
>> You should then disable unwanted protocols that are too weak.  In master
>> use the new min/max version controls and avoid the SSL_OP_NO_<some_version>
>> macros.  In 1.0.x, use the macros to disable some contiguous set of protocol
>> versions starting at SSLv2.
>> 
> Thanks Viktor. It sounds like Master is in good working order. Is
> there anything that can be done with OpenSSL 1.0.2?

Use SSLv23_method() (or SSLv23_client_method() if you prefer) and disable
unwanted protocols via the SSL_OP_NO_<someversion> macros, making sure to
disable each of SSLv2, SSLv3, ... up to some last protocol version you
want to disable without leaving any gaps.  That is don't make the mistake
of disabling SSLv2 and TLSv1 while leaving SSLv3 enabled which creates
"holes" in the range of supported protocols (in this case TLSv1 is a "hole"
between SSLv3 and TLSv1.1).

-- 
	Viktor.



More information about the openssl-users mailing list