On Wed, Jul 08, 2020 at 07:27:18PM +0200, Klaus Umbach via openssl-users wrote: > > > Should I open an issue at https://github.com/openssl/openssl/issues? > > > > Yes please. > > Done: https://github.com/openssl/openssl/issues/12394 Thanks again for opening the issue, but I have a follow up question for your original message, that is easiest to ask on the list. On Wed, Jul 08, 2020 at 04:58:39PM +0200, Klaus Umbach via openssl-users wrote: > when I set "MinProtocol" to "TLSv1.2" in openssl.cnf, DTLSv1.2 doesn't work for > the client (in my specific case openconnect). - Can you be a bit more specific about the failure mode of "openconnect"? - What are the error messages? - Can you get verbose error information? The reason I ask, is that much to my surprise, in trying to write a patch to resolve this issue, I discovered that I had already written essentially the requisite code back in 2015, but had long ago forgotten the details! Documentation improvements aside, the above 2015 code in OpenSSL already applies TLS version bounds only to TLS-based contexts, and DTLS bounds only to DTLS-based contexts. Thus you can already write: MinProtocol TLSv1.2 MinProtocol DTLSv1.2 repeating the option with appropriate settings for each of TLS and DTLS and pretty each applies to the appropriate type of SSL_CTX. The main outstanding issue for which I'm authoring a new PR, is that each of the above results in SSL_CONF_cmd() returning an error for contexts of the other type or for contexts that are for a specific fixed version of TLS or DTLS, and perhaps these errors are not ignored and cause issues with context initialisation? The update I'm writing will be more forgiving and silently report success when the setting is not applicable. That aside, clearly the documentation also needs an update. But I would like to confirm that I'm not missing some crucial detail, and therefore it would be very helpful to get a more detailed breakdown of the errors you observed, assuming that the application isn't so user-friendly as to hide all those geeky error details... :-( -- VIktor.
