On 16/11/16 23:22, Dan S wrote: > I thought there is anything that would stop you from compiling with > everything and make choices at run time, (TLSv1_2_method, > TLSv1_1_method, TLSv1_method, SSLv23_method etc... just set the right > flags and cyphers) Do not use the TLS*method() functions for this purpose. They will lock you into one specific protocol version. It is best to always use the version flexible method TLS_method() (this was called SSLv23_method() in 1.0.2 - but it is the same thing despite the confusing name), and then configure allowed versions with SSL_CTX_set_max_proto_version() and SSL_CTX_set_min_proto_version() as described in my other post. Matt > > On Wed, Nov 16, 2016 at 2:58 PM, Craig_Weeks@xxxxxxxxxxxxxx > <mailto:Craig_Weeks@xxxxxxxxxxxxxx> <Craig_Weeks@xxxxxxxxxxxxxx > <mailto:Craig_Weeks@xxxxxxxxxxxxxx>> wrote: > > I am an OpenSSL neophyte, so please bear with me if the answer is > obvious in the documentation.____ > > __ __ > > Our product is going to provide runtime options to the user to > enable and disable TLS 1.0, 1.1 and 1.2 in a discrete manner. For > example: today enable 1.0 and 1.2, disable 1.1; tomorrow enable 1.1 > and 1.2, disable 1.0.____ > > __ __ > > How do I use the available APIs to toggle the availability of these > versions of TLS at runtime (as opposed to some compile time switch > that permanently removes support for 1 or more versions)? I want > these settings to apply to all new connections after they have been > enabled or disabled.____ > > __ __ > > *Craig Weeks *| Senior Software Engineer, Support Response Team > (SRT)____ > > __ __ > > craig_weeks@xxxxxxxxxxxxxx <mailto:Richard_Fangman@xxxxxxxxxxxxxx>____ > > __ __ > > 14231 Tandem Blvd, Austin TX 78728____ > > __ __ > > www.trendmicro.com <http://www.trendmicro.com>____ > > __ __ > > TREND MICRO EMAIL NOTICE > The information contained in this email and any attachments is confidential > and may be subject to copyright or other intellectual property protection. > If you are not the intended recipient, you are not authorized to use or > disclose this information, and we request that you notify us by reply mail or > telephone and delete the original message from your mail system. > > > -- > openssl-users mailing list > To unsubscribe: > https://mta.openssl.org/mailman/listinfo/openssl-users > <https://mta.openssl.org/mailman/listinfo/openssl-users> > > > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
