On Wed, Jun 13, 2012, Garrison, Jim (ETW) wrote: > > -----Original Message----- > > From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > > us...@openssl.org] On Behalf Of Dr. Stephen Henson > > Sent: Wednesday, June 13, 2012 5:23 PM > > To: openssl-users@openssl.org > > Subject: Re: TLSv1.2 backward compatibility > > > > On Wed, Jun 13, 2012, Garrison, Jim (ETW) wrote: > > > > > Is anybody else having trouble with newer SSL clients (1.0.1c > > specifically) causing older servers to hang? > > > > > > > Yes, see PR#2771. > > > > > > > > Reading the 1.0.1c release notes I see > > > > > > 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will > > disable > > > TLS 1.2 client support entirely. > > > > > > Is this something that can be set at runtime, or is it purely a > > compile-time option? > > > > Yes you can set SSL_OP_NO_TLSv1_2 and possibly SSL_OP_NO_TLSv1_1 too. > > Sorry if I seem dense, but how do I set this at runtime? I tried > creating an environment variable as in: > > export SSL_OP_NO_TLSv1_2=1 > export SSL_OP_NO_TLSv1_1=1 > openssl s_client -connect remoteserver:443 > > but this gets the same hang, both with s_client and the svn client, and > Wireshark shows it's still sending a TLSv1.2 handshake. >
Ah I see, the application needs to support it for that to work. For example a call to: SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); after SSL_CTX_new. But that will need modification to the application (but not OpenSSL itself). There isn't an environment variable to set this. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
