Order of protocols in MinProtocol

Viktor Dukhovni openssl-users at dukhovni.org
Sun Jul 12 04:29:43 UTC 2020


On Wed, Jul 08, 2020 at 07:27:18PM +0200, Klaus Umbach via openssl-users wrote:

> > > Should I open an issue at https://github.com/openssl/openssl/issues?
> > 
> > Yes please.
> 
> Done: https://github.com/openssl/openssl/issues/12394

Thanks again for opening the issue, but I have a follow up question for
your original message, that is easiest to ask on the list.

On Wed, Jul 08, 2020 at 04:58:39PM +0200, Klaus Umbach via openssl-users wrote:

> when I set "MinProtocol" to "TLSv1.2" in openssl.cnf, DTLSv1.2 doesn't work for
> the client (in my specific case openconnect).

- Can you be a bit more specific about the failure mode of "openconnect"?
- What are the error messages?
- Can you get verbose error information?

The reason I ask, is that much to my surprise, in trying to write a
patch to resolve this issue, I discovered that I had already written
essentially the requisite code back in 2015, but had long ago forgotten
the details!

Documentation improvements aside, the above 2015 code in OpenSSL already
applies TLS version bounds only to TLS-based contexts, and DTLS bounds
only to DTLS-based contexts.

Thus you can already write:

    MinProtocol TLSv1.2
    MinProtocol DTLSv1.2

repeating the option with appropriate settings for each of TLS and DTLS
and pretty each applies to the appropriate type of SSL_CTX.

The main outstanding issue for which I'm authoring a new PR, is that
each of the above results in SSL_CONF_cmd() returning an error for
contexts of the other type or for contexts that are for a specific fixed
version of TLS or DTLS, and perhaps these errors are not ignored and
cause issues with context initialisation?  The update I'm writing will
be more forgiving and silently report success when the setting is not
applicable.

That aside, clearly the documentation also needs an update.  But I would
like to confirm that I'm not missing some crucial detail, and therefore
it would be very helpful to get a more detailed breakdown of the errors
you observed, assuming that the application isn't so user-friendly as to
hide all those geeky error details... :-(

-- 
    VIktor.


More information about the openssl-users mailing list