subject:"Re\: \[openssl\-users\] Disable\/Enable TLS versions for all connections at runtime"

Re: [openssl-users] Disable/Enable TLS versions for all connections at runtime

2016-11-16 Thread Matt Caswell



On 16/11/16 23:22, Dan S wrote:
> I thought there is anything that would stop you from compiling with
> everything and make choices at run time, (TLSv1_2_method,
> TLSv1_1_method, TLSv1_method, SSLv23_method etc... just set the right
> flags and cyphers)

Do not use the TLS*method() functions for this purpose. They will lock
you into one specific protocol version. It is best to always use the
version flexible method TLS_method() (this was called SSLv23_method() in
1.0.2 - but it is the same thing despite the confusing name), and then
configure allowed versions with SSL_CTX_set_max_proto_version() and
SSL_CTX_set_min_proto_version() as described in my other post.

Matt



> 
> On Wed, Nov 16, 2016 at 2:58 PM, craig_we...@trendmicro.com
>   > wrote:
> 
> I am an OpenSSL neophyte, so please bear with me if the answer is
> obvious in the documentation.
> 
> __ __
> 
> Our product is going to provide runtime options to the user to
> enable and disable TLS 1.0, 1.1 and 1.2 in a discrete manner. For
> example: today enable 1.0 and 1.2, disable 1.1; tomorrow enable 1.1
> and 1.2, disable 1.0.
> 
> __ __
> 
> How do I use the available APIs to toggle the availability of these
> versions of TLS at runtime (as opposed to some compile time switch
> that permanently removes support for 1 or more versions)? I want
> these settings to apply to all new connections after they have been
> enabled or disabled.
> 
> __ __
> 
> *Craig Weeks *| Senior Software Engineer, Support Response Team
> (SRT)
> 
> __ __
> 
> craig_we...@trendmicro.com 
> 
> __ __
> 
> 14231 Tandem Blvd, Austin TX 78728
> 
> __ __
> 
> www.trendmicro.com 
> 
> __ __
> 
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is 
> confidential 
> and may be subject to copyright or other intellectual property 
> protection. 
> If you are not the intended recipient, you are not authorized to use or 
> disclose this information, and we request that you notify us by reply 
> mail or
> telephone and delete the original message from your mail system.
> 
> 
> --
> openssl-users mailing list
> To unsubscribe:
> https://mta.openssl.org/mailman/listinfo/openssl-users
> 
> 
> 
> 
> 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Disable/Enable TLS versions for all connections at runtime

2016-11-16 Thread Dan S

I thought there is anything that would stop you from compiling with
everything and make choices at run time, (TLSv1_2_method, TLSv1_1_method,
TLSv1_method, SSLv23_method etc... just set the right flags and cyphers)

On Wed, Nov 16, 2016 at 2:58 PM, craig_we...@trendmicro.com <
craig_we...@trendmicro.com> wrote:

> I am an OpenSSL neophyte, so please bear with me if the answer is obvious
> in the documentation.
>
>
>
> Our product is going to provide runtime options to the user to enable and
> disable TLS 1.0, 1.1 and 1.2 in a discrete manner. For example: today
> enable 1.0 and 1.2, disable 1.1; tomorrow enable 1.1 and 1.2, disable 1.0.
>
>
>
> How do I use the available APIs to toggle the availability of these
> versions of TLS at runtime (as opposed to some compile time switch that
> permanently removes support for 1 or more versions)? I want these settings
> to apply to all new connections after they have been enabled or disabled.
>
>
>
> *Craig Weeks *| Senior Software Engineer, Support Response Team (SRT)
>
>
>
> craig_we...@trendmicro.com 
>
>
>
> 14231 Tandem Blvd, Austin TX 78728
>
>
>
> www.trendmicro.com
>
>
>
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is confidential
> and may be subject to copyright or other intellectual property protection.
> If you are not the intended recipient, you are not authorized to use or
> disclose this information, and we request that you notify us by reply mail or
> telephone and delete the original message from your mail system.
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Disable/Enable TLS versions for all connections at runtime

2016-11-16 Thread Matt Caswell

On 16/11/16 22:58, craig_we...@trendmicro.com wrote:
> I am an OpenSSL neophyte, so please bear with me if the answer is
> obvious in the documentation.
> 
>  
> 
> Our product is going to provide runtime options to the user to enable
> and disable TLS 1.0, 1.1 and 1.2 in a discrete manner. For example:
> today enable 1.0 and 1.2, disable 1.1; tomorrow enable 1.1 and 1.2,
> disable 1.0.
> 
>  
> 
> How do I use the available APIs to toggle the availability of these
> versions of TLS at runtime (as opposed to some compile time switch that
> permanently removes support for 1 or more versions)? I want these
> settings to apply to all new connections after they have been enabled or
> disabled.

The preferred way to do this is using SSL_CTX_set_max_proto_version()
and SSL_CTX_set_min_proto_version():

https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_max_proto_version.html

Note these macros are only available in OpenSSL 1.1.0.

If you need something that will work in OpenSSL 1.0.2 and 1.1.0 then you
can use SSL_CTX_set_options() to disable specific protocol versions:

https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_options.html

Note: your example of "enable 1.0 and 1.2, disable 1.1" would be
strongly discouraged. You are encouraged to only allow a contiguous set
of protocol versions without any "holes". It is possible to do this with
SSL_CTX_set_options() although you may get some unpredictable results
around version negotiation.

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Disable/Enable TLS versions for all connections at runtime

2016-11-16 Thread Viktor Dukhovni

On Wed, Nov 16, 2016 at 10:58:17PM +, craig_we...@trendmicro.com wrote:

> Our product is going to provide runtime options to the user to enable and
> disable TLS 1.0, 1.1 and 1.2 in a discrete manner.

This is a bad interface.  Do not implement this feature.  Instead
support only a contiguous range of protocol versions, by allowing
the user to specify a lowest supported version and a highest
supported version.

This maps directly onto the OpenSSL 1.1.0 API, but in older
versions you'll need to map these onto corresponding:

SSL_OP_NO_...

macros to disable all versions below the lowest, and if possible,
at least one version above the highest.  Note that that TLS 1.2 is
the highest supported in OpenSSL 1.0.x, and no higher versions will
be added.  So "<= TLS 1.2" is the same as not bounded above.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Disable/Enable TLS versions for all connections at runtime

Re: [openssl-users] Disable/Enable TLS versions for all connections at runtime

Re: [openssl-users] Disable/Enable TLS versions for all connections at runtime

Re: [openssl-users] Disable/Enable TLS versions for all connections at runtime

4 matches

Site Navigation

Mail list logo

Footer information