Order of protocols in MinProtocol

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jul 8 15:28:06 UTC 2020

On Wed, Jul 08, 2020 at 04:58:39PM +0200, Klaus Umbach via openssl-users wrote:

> when I set "MinProtocol" to "TLSv1.2" in openssl.cnf, DTLSv1.2 doesn't work for
> the client (in my specific case openconnect).

Unfortunately, I think that's expected.  The actual bounds are numeric,
and TLS protocols start at 0x0301 (TLS 1.0) and go up to 0x304 (TLS

    # define TLS1_VERSION                    0x0301
    # define TLS1_1_VERSION                  0x0302
    # define TLS1_2_VERSION                  0x0303
    # define TLS1_3_VERSION                  0x0304
    # define TLS_MAX_VERSION                 TLS1_3_VERSION

    [ It is also possible to set the floor at SSL3_VERSION == 0x0300,
      if that's still enabled in your build. ]

while DTLS protocols start at 0xFEFF (DTLS 1.0) and count down:

    # define DTLS1_VERSION                   0xFEFF
    # define DTLS1_2_VERSION                 0xFEFD
    # define DTLS_MIN_VERSION                DTLS1_VERSION
    # define DTLS_MAX_VERSION                DTLS1_2_VERSION

So when on a particular SSL_CTX you set MinProtocol and/or MaxProtocol,
that setting really only makes sense for TLS or for DTLS, but never
both, and you need a separate SSL_CTX for DTLS if you intend to
specify the protocol ranges.

> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?

AFAIK, that's not presently possible.  You can specify application
profiles, for applications that specify an application name when
initializing OpenSSL.  Or use the OPENSSL_CONF environment variable to
select an alternative configuration file for DTLS applications.


More information about the openssl-users mailing list