[openssl-users] Disable/Enable TLS versions for all connections at runtime

Matt Caswell matt at openssl.org
Wed Nov 16 23:22:11 UTC 2016

On 16/11/16 22:58, Craig_Weeks at trendmicro.com wrote:
> I am an OpenSSL neophyte, so please bear with me if the answer is
> obvious in the documentation.
> Our product is going to provide runtime options to the user to enable
> and disable TLS 1.0, 1.1 and 1.2 in a discrete manner. For example:
> today enable 1.0 and 1.2, disable 1.1; tomorrow enable 1.1 and 1.2,
> disable 1.0.
> How do I use the available APIs to toggle the availability of these
> versions of TLS at runtime (as opposed to some compile time switch that
> permanently removes support for 1 or more versions)? I want these
> settings to apply to all new connections after they have been enabled or
> disabled.

The preferred way to do this is using SSL_CTX_set_max_proto_version()
and SSL_CTX_set_min_proto_version():


Note these macros are only available in OpenSSL 1.1.0.

If you need something that will work in OpenSSL 1.0.2 and 1.1.0 then you
can use SSL_CTX_set_options() to disable specific protocol versions:


Note: your example of "enable 1.0 and 1.2, disable 1.1" would be
strongly discouraged. You are encouraged to only allow a contiguous set
of protocol versions without any "holes". It is possible to do this with
SSL_CTX_set_options() although you may get some unpredictable results
around version negotiation.


More information about the openssl-users mailing list