Order of protocols in MinProtocol
Klaus Umbach
klaus+ml.openssl-users at uxix.de
Wed Jul 8 17:27:18 UTC 2020
On 08.07.20 17:57, Matt Caswell wrote:
>
>
> On 08/07/2020 17:48, Klaus Umbach via openssl-users wrote:
> > On 08.07.20 12:21, Viktor Dukhovni wrote:
> >> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:
> >>
> >>> On 08/07/2020 16:28, Viktor Dukhovni wrote:
> >>>>> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?
> >>>>
> >>>> AFAIK, that's not presently possible. You can specify application
> >>>> profiles, for applications that specify an application name when
> >>>> initializing OpenSSL. Or use the OPENSSL_CONF environment variable to
> >>>> select an alternative configuration file for DTLS applications.
> >>>
> >>> Arguably, that is a bug. You *should* be able to do that - perhaps based
> >>> on some sensible mapping between TLS protocol versions based on whether
> >>> we have a DTLS or TLS based SSL_METHOD.
> >
> > Should I open an issue at https://github.com/openssl/openssl/issues?
>
> Yes please.
Done: https://github.com/openssl/openssl/issues/12394
>
>
> > But for my personal problem right now (openconnect uses TLS and DTLS, so
> > even if it would set an application name I couldn't set a "proper"
> > setting), until this bug is fixed, I use this now:
> >
> > # MinProtocol = TLSv1.2
> > Protocol = -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1.2
>
> Looks sane - although do you also mean to disable DTLSv1? Perhaps for
> safety you should also disable SSLv3 (although support for it is not
> built by default anyway).
Ah, thanks, I missed DTLSv1. (SSLv3 is not enabled in my build, but for
safety-reasons, you are right)
Thank you!
-
Klaus
More information about the openssl-users
mailing list