[openssl-users] How to limit advertised maximum ssl version in ssl23 client helo

Viktor Dukhovni openssl-users at dukhovni.org
Thu Nov 30 20:25:09 UTC 2017

> On Nov 30, 2017, at 9:22 AM, Joseph Southwell <jsouthwell at serengeti.com> wrote:
> So I have a server I connect to that replies “insufficient security” when I connect with an ssl23 client helo from openssl 1.0.2. However when I connect with any of ssl3-tls1.1 client helo it works. It doesn’t work if I try to connect with a tls1.2 client helo. I am trying to narrow down the problem so I would like to send an ssl23 client helo that only advertises up to 1.1. Any idea how to do just that?

OpenSSL 1.1.0 provides controls to explicitly set the maximum and/or
minimum SSL/TLS protocol version.  In OpenSSL 1.0.2, you can only
disable specific versions via SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3,
SSL_OP_NO_TLS1, SSL_OP_NO_TLSv1_1 or SSL_OP_NO_TLSv1_2, making sure
to not introduce "holes"!  After disabled protocols are removed the
remaining protocols *MUST* form a contiguous range with no gaps in
the middle.


More information about the openssl-users mailing list