Order of protocols in MinProtocol
Klaus Umbach
klaus+ml.openssl-users at uxix.de
Wed Jul 8 16:48:24 UTC 2020
On 08.07.20 12:21, Viktor Dukhovni wrote:
> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:
>
> > On 08/07/2020 16:28, Viktor Dukhovni wrote:
> > >> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?
> > >
> > > AFAIK, that's not presently possible. You can specify application
> > > profiles, for applications that specify an application name when
> > > initializing OpenSSL. Or use the OPENSSL_CONF environment variable to
> > > select an alternative configuration file for DTLS applications.
> >
> > Arguably, that is a bug. You *should* be able to do that - perhaps based
> > on some sensible mapping between TLS protocol versions based on whether
> > we have a DTLS or TLS based SSL_METHOD.
Should I open an issue at https://github.com/openssl/openssl/issues?
>
> I agree that the situation with MinProtocol in openssl.cnf is
> unfortunate. But instead of mappings, I would propose a different
> solution:
>
> * Restrict MinProtocol/MaxProtocol to just TLS protocols,
> i.e. SSL_CTX objects with a TLS-based method.
>
> * Introduct new controls: DTLSMinProtocolDTLS, DTLSMaxProtocol,
> that are similarly restricted to SSL_CTX objects with a DTLS-based
> method.
>
> * Since SSL_CTX_new() takes a required method argument, we are in
> never in doubt as to which pair of controls to apply to a given
> context.
>
> Thoughts?
To me this sounds sane.
But for my personal problem right now (openconnect uses TLS and DTLS, so
even if it would set an application name I couldn't set a "proper"
setting), until this bug is fixed, I use this now:
# MinProtocol = TLSv1.2
Protocol = -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1.2
(with a big comment for future-me, why I did something, that i shouldn't)
To my understanding, this will do exaclty what I want, up to that point in
time, when there are newer versions of DTLS and/or TLS supported and I want
to use them. (SSL3 is not supported in my build)
Am I right?
-
Klaus
More information about the openssl-users
mailing list