On Friday, 12 April 2019 06:47:54 CEST Chethan Kumar wrote: > > there is no "min" version in Client Hello, the version in record layer is > > irrelevant and used only for backwards compatibility *NOT* for > > negotiation > Thank you for the information. But have a doubt, then what is the importance > of SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() > introduced in 1.1.X along with SSL_CTX_set_options(). when the minimum set is higher than what the server answers with, the *client* will reject the connection after receiving ServerHello that is: when SSL_CTX_set_min_proto_version is set to tls 1.2, SSL_CTX_set_max_proto_version si set to tls 1.3 and the server replies with ServerHello.version of (3, 2) i.e. TLS 1.1 the client will abort the connection > I would like to know how to disable TLSv1.0 and 1.1 using configure > option[CONFOPTS] in Makefile. what evidence you have that what you do is ineffective? why you're not using? ./config no-tls1 no-tls1_1 > Thanks in advance, > Chethan Kumar > > > -----Original Message----- > From: Hubert Kario [mailto:hkario@xxxxxxxxxx] > Sent: Thursday, April 11, 2019 7:08 PM > To: openssl-users@xxxxxxxxxxx > Cc: Chethan Kumar <Chethan.Kumar@xxxxxxxxxxxxxxxx> > Subject: Re: How to disable tls 1.0 and tls 1.1 > > On Thursday, 11 April 2019 15:25:51 CEST Chethan Kumar wrote: > > > Adding to previous mail, > > We tried -DSSL_OP_NO_TLSv1 -DSSL_OP_NO_TLSv1_1 along with disabling > > SSLv2 and v1 but still client hello is sent using min and max as TLS1.0 > > and TLS1.2. > > > there is no "min" version in Client Hello, the version in record layer is > irrelevant and used only for backwards compatibility *NOT* for negotiation > > > > Any idea what is wrong in our options and what should be used instead.? > > > compile an openssl server with TLS 1.1 enabled, run openssl s_server -tls1_1 > to enable just TLS 1.1 and see if your production compile can connect > > > Thanks in advance, > > Chethan Kumar > > > > From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On > > Behalf Of Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM > > To: openssl-users@xxxxxxxxxxx > > Subject: How to disable tls 1.0 and tls 1.1 > > > > Dear all, > > > > Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while > > compiling openssl package. I am using 1.0.2n openssl version and > > disabled > > SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and > > -DOPENSSL_NO_SSL2. > > > > I also have a doubt on difference between -DSSL_OP_NO_SSLv2, > > -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please explain > > the difference. > > > > Thanks in advance, > > Chethan Kumar > > > > > > The information contained in this e-mail message and in any > > attachments/annexure/appendices is confidential to the recipient and > > may contain privileged information. If you are not the intended > > recipient, please notify the sender and delete the message along with > > any attachments/annexure/appendices. You should not disclose, copy or > > otherwise use the information contained in the message or any > > annexure. Any views expressed in this e-mail are those of the > > individual sender except where the sender specifically states them to > > be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. > > Although this transmission and any attachments are believed to be free > > of any virus or other defect that might affect any computer system > > into which it is received and opened, it is the responsibility of the > > recipient to ensure that it is virus free and no responsibility is > > accepted by Toshiba Software India Pvt. Ltd, for any loss or damage > > arising in any way from its use. The information contained in this > > e-mail message and in any attachments/annexure/appendices is > > confidential to the recipient and may contain privileged information. > > If you are not the intended recipient, please notify the sender and > > delete the message along with any attachments/annexure/appendices. You > > should not disclose, copy or otherwise use the information contained > > in the message or any annexure. Any views expressed in this e-mail are > > those of the individual sender except where the sender specifically > > states them to be the views of Toshiba Software India Pvt. Ltd. > > (TSIP),Bangalore. > > > > Although this transmission and any attachments are believed to be free > > of any virus or other defect that might affect any computer system > > into which it is received and opened, it is the responsibility of the > > recipient to ensure that it is virus free and no responsibility is > > accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or > > damage arising in any way from its use. > > > > -- > Regards, > Hubert Kario > Senior Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic > The information contained in this e-mail message and in any > attachments/annexure/appendices is confidential to the > recipient and may contain privileged information. > If you are not the intended recipient, please notify the > sender and delete the message along with any > attachments/annexure/appendices. You should not disclose, > copy or otherwise use the information contained in the > message or any annexure. Any views expressed in this e-mail > are those of the individual sender except where the sender > specifically states them to be the views of > Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. > > Although this transmission and any attachments are believed to be > free of any virus or other defect that might affect any computer > system into which it is received and opened, it is the responsibility > of the recipient to ensure that it is virus free and no responsibility > is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or > damage arising in any way from its use. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
