How to disable tls 1.0 and tls 1.1

Thu Apr 11 13:37:56 UTC 2019

On Thursday, 11 April 2019 15:25:51 CEST Chethan Kumar wrote:
> Adding to previous mail,
> We tried -DSSL_OP_NO_TLSv1   -DSSL_OP_NO_TLSv1_1  along with disabling SSLv2
> and v1 but still client hello is sent using min and max as TLS1.0 and
> TLS1.2.

there is no "min" version in Client Hello, the version in record layer is 
irrelevant and used only for backwards compatibility *NOT* for negotiation

> Any idea what is wrong in our options and what should be used instead.?

compile an openssl server with TLS 1.1 enabled, run openssl s_server -tls1_1 
to enable just TLS 1.1 and see if your production compile can connect

> Thanks in advance,
> Chethan Kumar
> 
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
> Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM
> To: openssl-users at openssl.org
> Subject: How to disable tls 1.0 and tls 1.1
> 
> Dear all,
> 
> Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while
> compiling openssl package. I am using 1.0.2n openssl version and disabled
> SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and
> -DOPENSSL_NO_SSL2.
> 
> I also have a doubt on difference between -DSSL_OP_NO_SSLv2,
> -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please explain the
> difference.
> 
> Thanks in advance,
> Chethan Kumar
> 
> 
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the recipient and may
> contain privileged information. If you are not the intended recipient,
> please notify the sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose, copy or otherwise
> use the information contained in the message or any annexure. Any views
> expressed in this e-mail are those of the individual sender except where
> the sender specifically states them to be the views of Toshiba Software
> India Pvt. Ltd. (TSIP),Bangalore.
> Although this transmission and any attachments are believed to be free of
> any virus or other defect that might affect any computer system into which
> it is received and opened, it is the responsibility of the recipient to
> ensure that it is virus free and no responsibility is accepted by Toshiba
> Software India Pvt. Ltd, for any loss or damage arising in any way from its
> use. The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the
> recipient and may contain privileged information.
> If you are not the intended recipient, please notify the
> sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose,
> copy or otherwise use the information contained in the
> message or any annexure. Any views expressed in this e-mail
> are those of the individual sender except where the sender
> specifically states them to be the views of
> Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be
> free of any virus or other defect that might affect any computer
> system into which it is received and opened, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility
> is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.


-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190411/c1fcb469/attachment-0001.sig>