Removing Extensions from Client Hello Header

Matt Caswell matt at
Mon Nov 11 19:51:00 UTC 2019

On 11/11/2019 19:43, Benjamin Kaduk via openssl-users wrote:
> On Mon, Nov 11, 2019 at 12:32:22PM -0700, Phil Neumiller wrote:
>> I am speaking TLS 1.3 with openssl to a hardware device that I can't change. 
>> I need the client hello header to only support certain  extensions, yet I

Any compliant implementation should ignore extensions it doesn't
understand so why do you need to do this?

>> see no way in the SSL API to remove the default extensions in the TLS 1.3
>> client hello.  Can I clear them all and just add the ones I want?  What am I
>> missing?  Do I have to modify the SSL code to do this?  It seems like there
>> should be an orthodox way to do this.
> You have to disable them one by one; see SSL_CTX_set_options(3) and (e.g.)

Only certain headers can be disabled in this way. Many of the extensions
present in a TLSv1.3 ClientHello are necessary for proper functioning of
the protocol.

Which extensions did you actually want to disable?


More information about the openssl-users mailing list