On 08.07.20 17:57, Matt Caswell wrote: > > > On 08/07/2020 17:48, Klaus Umbach via openssl-users wrote: > > On 08.07.20 12:21, Viktor Dukhovni wrote: > >> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote: > >> > >>> On 08/07/2020 16:28, Viktor Dukhovni wrote: > >>>>> How could I set the a System default "MinProtocol" for DTLS and TLS to 1.2? > >>>> > >>>> AFAIK, that's not presently possible. You can specify application > >>>> profiles, for applications that specify an application name when > >>>> initializing OpenSSL. Or use the OPENSSL_CONF environment variable to > >>>> select an alternative configuration file for DTLS applications. > >>> > >>> Arguably, that is a bug. You *should* be able to do that - perhaps based > >>> on some sensible mapping between TLS protocol versions based on whether > >>> we have a DTLS or TLS based SSL_METHOD. > > > > Should I open an issue at https://github.com/openssl/openssl/issues? > > Yes please. Done: https://github.com/openssl/openssl/issues/12394 > > > > But for my personal problem right now (openconnect uses TLS and DTLS, so > > even if it would set an application name I couldn't set a "proper" > > setting), until this bug is fixed, I use this now: > > > > # MinProtocol = TLSv1.2 > > Protocol = -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1.2 > > Looks sane - although do you also mean to disable DTLSv1? Perhaps for > safety you should also disable SSLv3 (although support for it is not > built by default anyway). Ah, thanks, I missed DTLSv1. (SSLv3 is not enabled in my build, but for safety-reasons, you are right) Thank you! - Klaus
