How to disable tls 1.0 and tls 1.1

Hubert Kario hkario at redhat.com
Fri Apr 12 11:20:10 UTC 2019 

On Friday, 12 April 2019 06:47:54 CEST Chethan Kumar wrote:
> > there is no "min" version in Client Hello, the version in record layer is
> > irrelevant and used only for backwards compatibility *NOT* for
> > negotiation
> Thank you for the information. But have a doubt, then what is the importance
> of SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
> introduced in 1.1.X along with SSL_CTX_set_options().

when the minimum set is higher than what the server answers with, the *client* 
will reject the connection after receiving ServerHello

that is:
when SSL_CTX_set_min_proto_version is set to tls 1.2,
SSL_CTX_set_max_proto_version si set to tls 1.3
and the server replies with ServerHello.version of (3, 2) i.e. TLS 1.1
the client will abort the connection
 
> I would like to know how to disable TLSv1.0 and 1.1 using configure
> option[CONFOPTS] in Makefile.

what evidence you have that what you do is ineffective? 

why you're not using?
./config no-tls1 no-tls1_1

> Thanks in advance,
> Chethan Kumar
> 
> 
> -----Original Message-----
> From: Hubert Kario [mailto:hkario at redhat.com] 
> Sent: Thursday, April 11, 2019 7:08 PM
> To: openssl-users at openssl.org
> Cc: Chethan Kumar <Chethan.Kumar at toshiba-tsip.com>
> Subject: Re: How to disable tls 1.0 and tls 1.1
> 
> On Thursday, 11 April 2019 15:25:51 CEST Chethan Kumar wrote:
> 
> > Adding to previous mail,
> > We tried -DSSL_OP_NO_TLSv1   -DSSL_OP_NO_TLSv1_1  along with disabling
> > SSLv2
 and v1 but still client hello is sent using min and max as TLS1.0
> > and TLS1.2.
> 
> 
> there is no "min" version in Client Hello, the version in record layer is
> irrelevant and used only for backwards compatibility *NOT* for negotiation
> 
> 
> > Any idea what is wrong in our options and what should be used instead.?
> 
> 
> compile an openssl server with TLS 1.1 enabled, run openssl s_server -tls1_1
> to enable just TLS 1.1 and see if your production compile can connect
 
> 
> > Thanks in advance,
> > Chethan Kumar
> > 
> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On 
> > Behalf Of Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM
> > To: openssl-users at openssl.org
> > Subject: How to disable tls 1.0 and tls 1.1
> > 
> > Dear all,
> > 
> > Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while 
> > compiling openssl package. I am using 1.0.2n openssl version and 
> > disabled
> > SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and 
> > -DOPENSSL_NO_SSL2.
> > 
> > I also have a doubt on difference between -DSSL_OP_NO_SSLv2,
> > -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please explain 
> > the difference.
> > 
> > Thanks in advance,
> > Chethan Kumar
> > 
> > 
> > The information contained in this e-mail message and in any 
> > attachments/annexure/appendices is confidential to the recipient and 
> > may contain privileged information. If you are not the intended 
> > recipient, please notify the sender and delete the message along with 
> > any attachments/annexure/appendices. You should not disclose, copy or 
> > otherwise use the information contained in the message or any 
> > annexure. Any views expressed in this e-mail are those of the 
> > individual sender except where the sender specifically states them to 
> > be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> > Although this transmission and any attachments are believed to be free 
> > of any virus or other defect that might affect any computer system 
> > into which it is received and opened, it is the responsibility of the 
> > recipient to ensure that it is virus free and no responsibility is 
> > accepted by Toshiba Software India Pvt. Ltd, for any loss or damage 
> > arising in any way from its use. The information contained in this 
> > e-mail message and in any attachments/annexure/appendices is 
> > confidential to the recipient and may contain privileged information.
> > If you are not the intended recipient, please notify the sender and 
> > delete the message along with any attachments/annexure/appendices. You 
> > should not disclose, copy or otherwise use the information contained 
> > in the message or any annexure. Any views expressed in this e-mail are 
> > those of the individual sender except where the sender specifically 
> > states them to be the views of Toshiba Software India Pvt. Ltd. 
> > (TSIP),Bangalore.
> > 
> > Although this transmission and any attachments are believed to be free 
> > of any virus or other defect that might affect any computer system 
> > into which it is received and opened, it is the responsibility of the 
> > recipient to ensure that it is virus free and no responsibility is 
> > accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or 
> > damage arising in any way from its use.
> 
> 
> 
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the 
> recipient and may contain privileged information. 
> If you are not the intended recipient, please notify the
> sender and delete the message along with any 
> attachments/annexure/appendices. You should not disclose,
> copy or otherwise use the information contained in the
> message or any annexure. Any views expressed in this e-mail 
> are those of the individual sender except where the sender 
> specifically states them to be the views of 
> Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be
> free of any virus or other defect that might affect any computer 
> system into which it is received and opened, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility 
> is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.


-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190412/b40bca7e/attachment.sig>

More information about the openssl-users mailing list