How to disable tls 1.0 and tls 1.1

Chethan Kumar Chethan.Kumar at toshiba-tsip.com
Mon Apr 15 06:13:43 UTC 2019


>>If you want to disable TLSv1.0 and TLSv1.1 then you should do so at run time.
>>Use the SSL_OP_NO_TLSv1 and SSL_OP_NO_TLSv1_1 options to the
>>SSL_CTX_set_options() or SSL_set_options() functions.
Since we have many applications using openssl services, it is difficult to implement this in all applications.

I need to find a single point in openssl source code[If not in Makefile] to disable TLSv1.0 and TLS1.1 for both server and client communications.

Thanks in advance,
Chethan

-----Original Message-----
From: Matt Caswell [mailto:matt at openssl.org] 
Sent: Friday, April 12, 2019 9:21 PM
To: Chethan Kumar <Chethan.Kumar at toshiba-tsip.com>; openssl-users at openssl.org
Subject: Re: How to disable tls 1.0 and tls 1.1



On 12/04/2019 15:50, Chethan Kumar wrote:
> Thank to both Hubert Kario and Matt Caswell for your valuable information.
> This group has helped a lot in gaining many insights on openssl  for newbie like me.
> 
> I was wrong with my understanding.
> But i executed below command to communicate with TLS1.2 when only 
> TLS1.0 and 1.1 was disabled, Even it got failed to execute by saying "unknown option -tls1_2".
> Any reason for that.?

Ah! My apologies - I've just now realised that you are using OpenSSL 1.0.2 (and going back to your original post I see that you did actually say that). Sorry for misleading you.

OpenSSL 1.0.2 works differently to later versions in this regards and quite inconsistently. You can disable SSLv2 and SSLv3 at compile time (SSLv2 is disabled by default) using the no-ssl2 and no-ssl3 options.

If you want to disable TLSv1.0 and TLSv1.1 then you should do so at run time.
Use the SSL_OP_NO_TLSv1 and SSL_OP_NO_TLSv1_1 options to the
SSL_CTX_set_options() or SSL_set_options() functions.

Matt

> 
> Thanks in advance,
> Chethan Kumar
> 
> -----Original Message-----
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On 
> Behalf Of Matt Caswell
> Sent: Friday, April 12, 2019 7:28 PM
> To: openssl-users at openssl.org
> Subject: Re: How to disable tls 1.0 and tls 1.1
> 
> 
> 
> On 12/04/2019 14:37, Chethan Kumar wrote:
>>> Please note that curl developers have recently changed the meaning of those options, please check if they do what you expect them to do by inspecting the curl man page.
>> Thanks for the information. I understood it.
>> I also used openssl s_client to communicate with server using below command.
>> openssl s_client -connect 172.28.80.66:8080 -tls1_1 It says " unknown 
>> option -tls1_1"
>> Same for -tls1.
> 
> If s_client doesn't recognise the -tls1_1 and -tls1 options then this 
> mean that
> TLSv1.1 and TLSv1.0 have been disabled.
> 
>>
>> And even if I disable TLSv1.2 and execute openssl s_client -connect
>> 172.28.80.66:8080 -no_tls1_2
>> WARNING: can't open config file: /usr/local/ebx/ssl/openssl.cnf
>> CONNECTED(00000003)
>> 2001716872:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
> 
> So you attempt a connection and ask s_client to disable TLSv1.2 at runtime.
> You've already asked it to disable TLSv1.1 and TLSv1.0 at compile 
> time. Since
> SSLv3 is also compiled out by default there are no protocol versions left so the expected result will be a handshake failure - which is exactly what you've got.
> 
>>> what you mean by "used them in Makefile", I'm talking about 
>>> configure script
>> I added these options in Makefile like, CONFOPTS += linux-ppc
>> -DOPENSSL_NO_SSL3 -DOPENSSL_NO_SSL2 -DSSL_OP_NO_SSLv2 no-tls1
>> no-tls1_1 no-tls1-method no-tls1_1-method
> 
> *Don't edit the Makefile*. You only need to pass options to Configure.
> 
>>
>>> do adding `no-tls1-method` and `no-tls1_1-method` produce the expected result?
>> Yes, even after adding these options it produces the same result.
> 
> The result above means you have disabled TLSv1.1 and TLSv1.0 - which was your objective IIUC.
> 
> 
>>
>> I am confused what is the problem.
>> Let me know if there is any other way to disable TLSv1.0 and TLS1.1
> 
> It sounds like you already did it.
> 
> Matt
> 
> The information contained in this e-mail message and in any 
> attachments/annexure/appendices is confidential to the recipient and 
> may contain privileged information.
> If you are not the intended recipient, please notify the sender and 
> delete the message along with any attachments/annexure/appendices. You 
> should not disclose, copy or otherwise use the information contained 
> in the message or any annexure. Any views expressed in this e-mail are 
> those of the individual sender except where the sender specifically 
> states them to be the views of Toshiba Software India Pvt. Ltd. 
> (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be free 
> of any virus or other defect that might affect any computer system 
> into which it is received and opened, it is the responsibility of the 
> recipient to ensure that it is virus free and no responsibility is 
> accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or 
> damage arising in any way from its use.
> 
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


More information about the openssl-users mailing list