On Wed, Jul 08, 2020 at 04:58:39PM +0200, Klaus Umbach via openssl-users wrote:
> when I set "MinProtocol" to "TLSv1.2" in openssl.cnf, DTLSv1.2 doesn't work for
> the client (in my specific case openconnect).
Unfortunately, I think that's expected. The actual bounds are numeric,
and TLS protocols start at 0x0301 (TLS 1.0) and go up to 0x304 (TLS
1.3):
# define TLS1_VERSION 0x0301
# define TLS1_1_VERSION 0x0302
# define TLS1_2_VERSION 0x0303
# define TLS1_3_VERSION 0x0304
# define TLS_MAX_VERSION TLS1_3_VERSION
[ It is also possible to set the floor at SSL3_VERSION == 0x0300,
if that's still enabled in your build. ]
while DTLS protocols start at 0xFEFF (DTLS 1.0) and count down:
# define DTLS1_VERSION 0xFEFF
# define DTLS1_2_VERSION 0xFEFD
# define DTLS_MIN_VERSION DTLS1_VERSION
# define DTLS_MAX_VERSION DTLS1_2_VERSION
So when on a particular SSL_CTX you set MinProtocol and/or MaxProtocol,
that setting really only makes sense for TLS or for DTLS, but never
both, and you need a separate SSL_CTX for DTLS if you intend to
specify the protocol ranges.
> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2?
AFAIK, that's not presently possible. You can specify application
profiles, for applications that specify an application name when
initializing OpenSSL. Or use the OPENSSL_CONF environment variable to
select an alternative configuration file for DTLS applications.
--
Viktor.
