Re: Selecting TLSv1.2 only protocol

Viktor Dukhovni Sat, 25 Jan 2014 09:18:00 -0800

On Sat, Jan 25, 2014 at 11:34:05AM -0500, Jeffrey Walton wrote:
> > ... for >= TLSv1.2, protocol should be selected as SSLv23_method()?
> 
> Yes, but as Viktor pointed out, you also need:
> 
> options = SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 |SSL_OP_NO_SSLv2


plus SSL_OP_NO_SSLv3.  So I would define:

  #define SSL_OP_MINPROTO_SSLv2   0
  #define SSL_OP_MINPROTO_SSLv3   (SSL_OP_MINPROTO_SSLv2   | SSL_OP_NO_SSLv2)
  #define SSL_OP_MINPROTO_TLSv1   (SSL_OP_MINPROTO_SSLv3   | SSL_OP_NO_SSLv3)
  #define SSL_OP_MINPROTO_TLSv1_1 (SSL_OP_MINPROTO_TLSv1   | SSL_OP_NO_TLSv1)
  #define SSL_OP_MINPROTO_TLSv1_2 (SSL_OP_MINPROTO_TLSv1_1 | SSL_OP_NO_TLSv1_1)

and call:

  SSL_CTX_set_options(ctx, SSL_OP_MINPROTO_TLSv1_2);

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Re: Selecting TLSv1.2 only protocol

Reply via email to