Thank you Matt for the quick response. For "2," does it mean that every cipher suite can operate in multiple levels? I thought that there were specific set of cipher suites operating in each of the levels.
Thanks, Grace On Tue, Oct 17, 2017 at 2:25 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 17/10/17 09:21, Grace Priscilla Jero wrote: > > Hi All, > > > > 1) > > The below APIs used to set the maximum and minimum versions are > > available in 1.1.0f version of OPENSSL. > > > > int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version); > > int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version); > > int SSL_set_min_proto_version(SSL *ssl, int version); > > int SSL_set_max_proto_version(SSL *ssl, int version); > > > > Do you have the same in any of the 1.0.2x threads or plan to have it in > > any later versions. We don't see it available in 1.0.2k or 1.0.2l > > versions. Kindly update us on the same. > > These APIs were first introduced into 1.1.0, and we intend to continue > to support them moving forward in future versions. However they will not > be backported to the 1.0.2 branch. We do not add new features to a > stable branch. > > In 1.0.2 you must use the options SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, > SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 via the SSL_CTX_set_options() or > SSL_set_options() functions. > > > > > > 2) > > There are a set of APIs to set/get security level wherein each level > > supports a set of cipher suites. Is there something available in OPENSSL > > wherein I can get the level and set it when I provide a cipher suite. > > We have a case where we give the user a provision to provide his own > > list of cipher suites and we need to set the appropriate level in the > > API so that we support it for the connections. Kindly provide your > comments. > > You can set the security level via the cipher string using the special > cipher string command "@SECLEVEL". For example to set all default > ciphersuites at security level 2 or above you can use: > > "DEFAULT:@SECLEVEL=2" > > Matt > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
