On 08/07/2020 17:48, Klaus Umbach via openssl-users wrote: > On 08.07.20 12:21, Viktor Dukhovni wrote: >> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote: >> >>> On 08/07/2020 16:28, Viktor Dukhovni wrote: >>>>> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2? >>>> >>>> AFAIK, that's not presently possible. You can specify application >>>> profiles, for applications that specify an application name when >>>> initializing OpenSSL. Or use the OPENSSL_CONF environment variable to >>>> select an alternative configuration file for DTLS applications. >>> >>> Arguably, that is a bug. You *should* be able to do that - perhaps based >>> on some sensible mapping between TLS protocol versions based on whether >>> we have a DTLS or TLS based SSL_METHOD. > > Should I open an issue at https://github.com/openssl/openssl/issues? Yes please. > But for my personal problem right now (openconnect uses TLS and DTLS, so > even if it would set an application name I couldn't set a "proper" > setting), until this bug is fixed, I use this now: > > # MinProtocol = TLSv1.2 > Protocol = -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1.2 Looks sane - although do you also mean to disable DTLSv1? Perhaps for safety you should also disable SSLv3 (although support for it is not built by default anyway). Matt
