[openssl-users] Disable/Enable TLS versions for all connections at runtime

Viktor Dukhovni openssl-users at dukhovni.org
Wed Nov 16 23:21:07 UTC 2016


On Wed, Nov 16, 2016 at 10:58:17PM +0000, Craig_Weeks at trendmicro.com wrote:

> Our product is going to provide runtime options to the user to enable and
> disable TLS 1.0, 1.1 and 1.2 in a discrete manner.

This is a bad interface.  Do not implement this feature.  Instead
support only a contiguous range of protocol versions, by allowing
the user to specify a lowest supported version and a highest
supported version.

This maps directly onto the OpenSSL 1.1.0 API, but in older
versions you'll need to map these onto corresponding:

	SSL_OP_NO_...

macros to disable all versions below the lowest, and if possible,
at least one version above the highest.  Note that that TLS 1.2 is
the highest supported in OpenSSL 1.0.x, and no higher versions will
be added.  So "<= TLS 1.2" is the same as not bounded above.

-- 
	Viktor.


More information about the openssl-users mailing list