Re: Disable/Enable TLS versions for all connections at runtime

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 16/11/16 23:22, Dan S wrote:
> I thought there is anything that would stop you from compiling with
> everything and make choices at run time, (TLSv1_2_method,
> TLSv1_1_method, TLSv1_method, SSLv23_method etc... just set the right
> flags and cyphers)

Do not use the TLS*method() functions for this purpose. They will lock
you into one specific protocol version. It is best to always use the
version flexible method TLS_method() (this was called SSLv23_method() in
1.0.2 - but it is the same thing despite the confusing name), and then
configure allowed versions with SSL_CTX_set_max_proto_version() and
SSL_CTX_set_min_proto_version() as described in my other post.

Matt



> 
> On Wed, Nov 16, 2016 at 2:58 PM, Craig_Weeks@xxxxxxxxxxxxxx
> <mailto:Craig_Weeks@xxxxxxxxxxxxxx> <Craig_Weeks@xxxxxxxxxxxxxx
> <mailto:Craig_Weeks@xxxxxxxxxxxxxx>> wrote:
> 
>     I am an OpenSSL neophyte, so please bear with me if the answer is
>     obvious in the documentation.____
> 
>     __ __
> 
>     Our product is going to provide runtime options to the user to
>     enable and disable TLS 1.0, 1.1 and 1.2 in a discrete manner. For
>     example: today enable 1.0 and 1.2, disable 1.1; tomorrow enable 1.1
>     and 1.2, disable 1.0.____
> 
>     __ __
> 
>     How do I use the available APIs to toggle the availability of these
>     versions of TLS at runtime (as opposed to some compile time switch
>     that permanently removes support for 1 or more versions)? I want
>     these settings to apply to all new connections after they have been
>     enabled or disabled.____
> 
>     __ __
> 
>     *Craig Weeks *| Senior Software Engineer, Support Response Team
>     (SRT)____
> 
>     __ __
> 
>     craig_weeks@xxxxxxxxxxxxxx <mailto:Richard_Fangman@xxxxxxxxxxxxxx>____
> 
>     __ __
> 
>     14231 Tandem Blvd, Austin TX 78728____
> 
>     __ __
> 
>     www.trendmicro.com <http://www.trendmicro.com>____
> 
>     __ __
> 
>     TREND MICRO EMAIL NOTICE
>     The information contained in this email and any attachments is confidential 
>     and may be subject to copyright or other intellectual property protection. 
>     If you are not the intended recipient, you are not authorized to use or 
>     disclose this information, and we request that you notify us by reply mail or
>     telephone and delete the original message from your mail system.
> 
> 
>     --
>     openssl-users mailing list
>     To unsubscribe:
>     https://mta.openssl.org/mailman/listinfo/openssl-users
>     <https://mta.openssl.org/mailman/listinfo/openssl-users>
> 
> 
> 
> 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux