Victor: Thanks very much for your expedient response. The problem is that TLS 1.0 is considered insecure and thus getting "deprecated" in many situations (e.g. https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/) despite its presence being allowed in the protocol standard. Thus, we have end users that are instituting firewall rules to block packets upon detecting presence of TLS 1.0... -Mike -----Original Message----- From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Viktor Dukhovni Sent: Friday, June 2, 2023 6:16 PM To: openssl-users@xxxxxxxxxxx Subject: [EXTERNAL] Re: TLS Version in Record Layer using OpenSSL 1.1.1 On Fri, Jun 02, 2023 at 11:22:18PM +0000, Michael Lee via openssl-users wrote: > Regarding your remark from > https://urldefense.com/v3/__https://mta.openssl.org/pipermail/openssl- > users/2020-October/013081.html__;!!PEK3uBjM8x5RqC4b!E6XE5lvLYpBpyrFtEe > Mil3KxrMgALc4iPqJ-I8PohEiXIRUKXuFyZUzscwSVnYyPnq2RsJp2p4TWl4rd2u_y81Kh > Ud-N6XU$ Basically the record version is never greater than TLSv1.2. > If we're in an initial ClientHello (not a renegotiation or an HRR) and > the max version is > TLSv1.0 then the record version is fixed at > TLSv1.0 for the ClientHello record. > > Do you know if this "fixed at TLSv1.0" restriction is relaxed with OpenSSL 3? > We have packets that are being blocked by firewall due to the TLS 1.0 signature. > We desperately need to change the Record Layer version to TLS 1.2 somehow. The behaviour has not changed. Even OpenSSL 3.2-dev will use TLSv1 at the record layer in an initial client hello, and even with MinProtocol set to TLSv1.2. The problem is the firewall. Your attention should be directed there. -- Viktor. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- NOTE THAT THIS EMAIL ORIGINATED FROM OUTSIDE OF INTUITIVE SURGICAL. Be alert for fraudulent emails that spoof internal "@intusurg.com" email addresses. Report any suspicious emails using the "Report Phish" button. Click KB0014776 for more information on the "Report Phish" button and to learn more about differentiating phishing from spam and bulk email, please review KB0014940.