On Friday, 12 April 2019 13:54:24 CEST Chethan Kumar wrote: > >what evidence you have that what you do is ineffective? > > I tried connecting to some host by executing curl command with --tlsv1.1 and > --tlsv1.0 options and am able to connect successfully. Please note that curl developers have recently changed the meaning of those options, please check if they do what you expect them to do by inspecting the curl man page. see: https://github.com/curl/curl/issues/2918 > >why you're not using? > >./config no-tls1 no-tls1_1 > > I have used these options in Makefile but still communication with TLS1.0 > and TLS1.1 is working. what you mean by "used them in Makefile", I'm talking about configure script > Confirmed by checking openssl/opensslconf.h file > for OPENSSL_NO_TLS1 and OPENSSL_NO_TLS1_1 macros and macros are generated. > Kindly let me know what could be changed to disable TLS 1.0 and 1.1 at least > by changing code in openssl. macros may still be generated because the API is retained for ABI compatibility, do adding `no-tls1-method` and `no-tls1_1-method` produce the expected result? > -----Original Message----- > From: Hubert Kario [mailto:hkario@xxxxxxxxxx] > Sent: Friday, April 12, 2019 4:50 PM > To: Chethan Kumar <Chethan.Kumar@xxxxxxxxxxxxxxxx> > Cc: openssl-users@xxxxxxxxxxx > Subject: Re: How to disable tls 1.0 and tls 1.1 > > On Friday, 12 April 2019 06:47:54 CEST Chethan Kumar wrote: > > > > there is no "min" version in Client Hello, the version in record > > > layer is irrelevant and used only for backwards compatibility *NOT* > > > for negotiation > > > > Thank you for the information. But have a doubt, then what is the > > importance of SSL_CTX_set_min_proto_version() and > > SSL_CTX_set_max_proto_version() introduced in 1.1.X along with > > SSL_CTX_set_options(). > > when the minimum set is higher than what the server answers with, the > *client* will reject the connection after receiving ServerHello > that is: > when SSL_CTX_set_min_proto_version is set to tls 1.2, > SSL_CTX_set_max_proto_version si set to tls 1.3 and the server replies with > ServerHello.version of (3, 2) i.e. TLS 1.1 the client will abort the > connection > > > I would like to know how to disable TLSv1.0 and 1.1 using configure > > option[CONFOPTS] in Makefile. > > > what evidence you have that what you do is ineffective? > > why you're not using? > ./config no-tls1 no-tls1_1 > > > > Thanks in advance, > > Chethan Kumar > > > > > > -----Original Message----- > > From: Hubert Kario [mailto:hkario@xxxxxxxxxx] > > Sent: Thursday, April 11, 2019 7:08 PM > > To: openssl-users@xxxxxxxxxxx > > Cc: Chethan Kumar <Chethan.Kumar@xxxxxxxxxxxxxxxx> > > Subject: Re: How to disable tls 1.0 and tls 1.1 > > > > On Thursday, 11 April 2019 15:25:51 CEST Chethan Kumar wrote: > > > > > > > Adding to previous mail, > > > We tried -DSSL_OP_NO_TLSv1 -DSSL_OP_NO_TLSv1_1 along with disabling > > > SSLv2 > > and v1 but still client hello is sent using min and max as TLS1.0 > > > > and TLS1.2. > > > > > > > > there is no "min" version in Client Hello, the version in record layer > > is irrelevant and used only for backwards compatibility *NOT* for > > negotiation > > > > > > > > > Any idea what is wrong in our options and what should be used instead.? > > > > > > > > compile an openssl server with TLS 1.1 enabled, run openssl s_server > > -tls1_1 to enable just TLS 1.1 and see if your production compile can > > connect > > > > > > > > > > Thanks in advance, > > > Chethan Kumar > > > > > > From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On > > > Behalf Of Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM > > > To: openssl-users@xxxxxxxxxxx > > > Subject: How to disable tls 1.0 and tls 1.1 > > > > > > Dear all, > > > > > > Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while > > > compiling openssl package. I am using 1.0.2n openssl version and > > > disabled > > > SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and > > > -DOPENSSL_NO_SSL2. > > > > > > I also have a doubt on difference between -DSSL_OP_NO_SSLv2, > > > -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please explain > > > the difference. > > > > > > Thanks in advance, > > > Chethan Kumar > > > > > > > > > The information contained in this e-mail message and in any > > > attachments/annexure/appendices is confidential to the recipient and > > > may contain privileged information. If you are not the intended > > > recipient, please notify the sender and delete the message along > > > with any attachments/annexure/appendices. You should not disclose, > > > copy or otherwise use the information contained in the message or > > > any annexure. Any views expressed in this e-mail are those of the > > > individual sender except where the sender specifically states them > > > to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. > > > Although this transmission and any attachments are believed to be > > > free of any virus or other defect that might affect any computer > > > system into which it is received and opened, it is the > > > responsibility of the recipient to ensure that it is virus free and > > > no responsibility is accepted by Toshiba Software India Pvt. Ltd, > > > for any loss or damage arising in any way from its use. The > > > information contained in this e-mail message and in any > > > attachments/annexure/appendices is confidential to the recipient and may > > > contain privileged information. If you are not the intended recipient, > > > please notify the sender and delete the message along with any > > > attachments/annexure/appendices. You should not disclose, copy or > > > otherwise use the information > > > contained in the message or any annexure. Any views expressed in > > > this e-mail are those of the individual sender except where the > > > sender specifically states them to be the views of Toshiba Software > > > India Pvt. Ltd. (TSIP),Bangalore. > > > > > > Although this transmission and any attachments are believed to be > > > free of any virus or other defect that might affect any computer > > > system into which it is received and opened, it is the > > > responsibility of the recipient to ensure that it is virus free and > > > no responsibility is accepted by Toshiba Embedded Software India > > > Pvt. Ltd, for any loss or damage arising in any way from its use. > > > > > > > > > > -- > > Regards, > > Hubert Kario > > Senior Quality Engineer, QE BaseOS Security team > > Web: www.cz.redhat.com > > Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic The > > information contained in this e-mail message and in any > > attachments/annexure/appendices is confidential to the recipient and > > may contain privileged information. > > If you are not the intended recipient, please notify the sender and > > delete the message along with any attachments/annexure/appendices. You > > should not disclose, copy or otherwise use the information contained > > in the message or any annexure. Any views expressed in this e-mail are > > those of the individual sender except where the sender specifically > > states them to be the views of Toshiba Software India Pvt. Ltd. > > (TSIP),Bangalore. > > > > Although this transmission and any attachments are believed to be free > > of any virus or other defect that might affect any computer system > > into which it is received and opened, it is the responsibility of the > > recipient to ensure that it is virus free and no responsibility is > > accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or > > damage arising in any way from its use. > > > > -- > Regards, > Hubert Kario > Senior Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic > The information contained in this e-mail message and in any > attachments/annexure/appendices is confidential to the > recipient and may contain privileged information. > If you are not the intended recipient, please notify the > sender and delete the message along with any > attachments/annexure/appendices. You should not disclose, > copy or otherwise use the information contained in the > message or any annexure. Any views expressed in this e-mail > are those of the individual sender except where the sender > specifically states them to be the views of > Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. > > Although this transmission and any attachments are believed to be > free of any virus or other defect that might affect any computer > system into which it is received and opened, it is the responsibility > of the recipient to ensure that it is virus free and no responsibility > is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or > damage arising in any way from its use. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.