On 13/11/15 02:56, pratyush parimal wrote: > Hi, > > I'm writing a client-server program that uses TLS for communication. > I'm wondering if there's any way to programmatically find out which TLS > protocol versions are supported by the OpenSSL library installed on my > system. > > I'm currently aware of three ways which "sort of" provide this information: > (1) After setting up the TLS communication, call: SSL_get_version(ssl); > which returns "TLSV1.2", etc. > (2) Try to connect to a server using TLS by specifying all possible TLS > versions in the client program, and see which connections pass/fail. > (3) Call: SSL_get_ciphers(), print their names, and try to correlate > them with the protocol they're associated with. > > Unfortunately, none of the above answer my question completely. > > So is it possible to ascertain which TLS protocol versions are actually > supported by my server-program, without trying the above methods? My > purpose is not to simply make a list for my own reference, but rather > finding it out on-the-fly in the server-side program, since I may run it > on different versions of OpenSSL. You can use the define TLS_MAX_VERSION to determine the highest protocol version supported by the library. If you also want to know the lowest version then that's a bit more tricky. All current released versions will define OPENSSL_NO_SSL3 if SSLv3 support has been compiled out, and OPENSSL_NO_SSL2 if SSLv2 support has been compiled out (its not currently possible to compile out other protocol versions). In the forthcoming 1.1.0 release SSLv2 support has been completely removed so you don't get OPENSSL_NO_SSL2 even though there is no SSLv2 support available (hmmmm...I wonder if we should add that?). There are other SSLv2 defines in ssl2.h that are removed in 1.1.0 which you could use to detect whether you are on a version with ssl2.h completely removed such as SSL2_MT_ERROR, i.e. something like (completely untested): #ifdef OPENSSL_NO_SSL3 #define TLS_MIN_VERSION TLS1_VERSION #elif defined(OPENSSL_NO_SSL2) || !defined(SSL2_MT_ERROR) #define TLS_MIN_VERSION SSL3_VERSION #else #define TLS_MIN_VERSION SSL2_VERSION #endif How future proof that is if we ever remove SSLv3 support I'm not sure. Matt
