[openssl-users] Disable/Enable TLS versions for all connections at runtime

Matt Caswell matt at openssl.org
Wed Nov 16 23:26:38 UTC 2016 


On 16/11/16 23:22, Dan S wrote:
> I thought there is anything that would stop you from compiling with
> everything and make choices at run time, (TLSv1_2_method,
> TLSv1_1_method, TLSv1_method, SSLv23_method etc... just set the right
> flags and cyphers)

Do not use the TLS*method() functions for this purpose. They will lock
you into one specific protocol version. It is best to always use the
version flexible method TLS_method() (this was called SSLv23_method() in
1.0.2 - but it is the same thing despite the confusing name), and then
configure allowed versions with SSL_CTX_set_max_proto_version() and
SSL_CTX_set_min_proto_version() as described in my other post.

Matt



> 
> On Wed, Nov 16, 2016 at 2:58 PM, Craig_Weeks at trendmicro.com
> <mailto:Craig_Weeks at trendmicro.com> <Craig_Weeks at trendmicro.com
> <mailto:Craig_Weeks at trendmicro.com>> wrote:
> 
>     I am an OpenSSL neophyte, so please bear with me if the answer is
>     obvious in the documentation.____
> 
>     __ __
> 
>     Our product is going to provide runtime options to the user to
>     enable and disable TLS 1.0, 1.1 and 1.2 in a discrete manner. For
>     example: today enable 1.0 and 1.2, disable 1.1; tomorrow enable 1.1
>     and 1.2, disable 1.0.____
> 
>     __ __
> 
>     How do I use the available APIs to toggle the availability of these
>     versions of TLS at runtime (as opposed to some compile time switch
>     that permanently removes support for 1 or more versions)? I want
>     these settings to apply to all new connections after they have been
>     enabled or disabled.____
> 
>     __ __
> 
>     *Craig Weeks *| Senior Software Engineer, Support Response Team
>     (SRT)____
> 
>     __ __
> 
>     craig_weeks at trendmicro.com <mailto:Richard_Fangman at trendmicro.com>____
> 
>     __ __
> 
>     14231 Tandem Blvd, Austin TX 78728____
> 
>     __ __
> 
>     www.trendmicro.com <http://www.trendmicro.com>____
> 
>     __ __
> 
>     TREND MICRO EMAIL NOTICE
>     The information contained in this email and any attachments is confidential 
>     and may be subject to copyright or other intellectual property protection. 
>     If you are not the intended recipient, you are not authorized to use or 
>     disclose this information, and we request that you notify us by reply mail or
>     telephone and delete the original message from your mail system.
> 
> 
>     --
>     openssl-users mailing list
>     To unsubscribe:
>     https://mta.openssl.org/mailman/listinfo/openssl-users
>     <https://mta.openssl.org/mailman/listinfo/openssl-users>
> 
> 
> 
>

More information about the openssl-users mailing list