Order of protocols in MinProtocol

Matt Caswell matt at openssl.org
Wed Jul 8 16:57:48 UTC 2020

On 08/07/2020 17:48, Klaus Umbach via openssl-users wrote:
> On 08.07.20 12:21, Viktor Dukhovni wrote:
>> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:
>>> On 08/07/2020 16:28, Viktor Dukhovni wrote:
>>>>> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?
>>>> AFAIK, that's not presently possible.  You can specify application
>>>> profiles, for applications that specify an application name when
>>>> initializing OpenSSL.  Or use the OPENSSL_CONF environment variable to
>>>> select an alternative configuration file for DTLS applications.
>>> Arguably, that is a bug. You *should* be able to do that - perhaps based
>>> on some sensible mapping between TLS protocol versions based on whether
>>> we have a DTLS or TLS based SSL_METHOD.
> Should I open an issue at https://github.com/openssl/openssl/issues?

Yes please.

> But for my personal problem right now (openconnect uses TLS and DTLS, so
> even if it would set an application name I couldn't set a "proper"
> setting), until this bug is fixed, I use this now:
>    # MinProtocol = TLSv1.2
>    Protocol = -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1.2

Looks sane - although do you also mean to disable DTLSv1? Perhaps for
safety you should also disable SSLv3 (although support for it is not
built by default anyway).


More information about the openssl-users mailing list