Order of protocols in MinProtocol

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jul 8 16:21:52 UTC 2020

On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:

> On 08/07/2020 16:28, Viktor Dukhovni wrote:
> >> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?
> > 
> > AFAIK, that's not presently possible.  You can specify application
> > profiles, for applications that specify an application name when
> > initializing OpenSSL.  Or use the OPENSSL_CONF environment variable to
> > select an alternative configuration file for DTLS applications.
> Arguably, that is a bug. You *should* be able to do that - perhaps based
> on some sensible mapping between TLS protocol versions based on whether
> we have a DTLS or TLS based SSL_METHOD.

I agree that the situation with MinProtocol in openssl.cnf is
unfortunate.  But instead of mappings, I would propose a different

    * Restrict MinProtocol/MaxProtocol to just TLS protocols,
      i.e. SSL_CTX objects with a TLS-based method.

    * Introduct new controls: DTLSMinProtocolDTLS, DTLSMaxProtocol,
      that are similarly restricted to SSL_CTX objects with a DTLS-based

    * Since SSL_CTX_new() takes a required method argument, we are in
      never in doubt as to which pair of controls to apply to a given



More information about the openssl-users mailing list