Re: Query regarding upgrading TLS compatibility

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Apr 3, 2017, at 5:58 PM, Benjamin Kaduk via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
> 
>> I have an query regarding TLS compatibility used in my application. Currently we are using TLS1.2 to connect to a third party sever. Is there any way to always use the highest TLS available version without modifying or recompiling the application code whenever there is any new version of TLS released.
> 
> The closest you can come is to use TLS_method() (or the client- or server-specific version of it), which will prefer the highest version supported by the library, but also be able to use older versions if needed in order to interoperate with the peer.  It's not entirely clear whether your question was about restricting to specifically the highest version, to the exclusion of older versions.

I would phrase this more forcefully.  The correct way to do exactly what the
OP asked for is to use TLS_method() and friends with OpenSSL 1.1.0 or later,
or its OpenSSL 1.0.x equivalents SSLv23_method() and friends.

https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html
https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_new.html

TLS is downgrade-resistant, so there's no need to restrict to just
the most recent version.  Just disable all the obsolete versions that
have exposure to known attacks, currently SSLv2 and SSLv3.

Already with TLS 1.0 negotiation to the highest mutually supported
version should not be subject to downgrade attacks.  However, if
all the expected peers support TLS 1.2, one can also disable TLS 1.0
and TLS 1.1.

  https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html
  https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_options.html

-- 
	Viktor.



-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux