Re: [openssl-users] Query regarding upgrading TLS compatibility
> On Apr 3, 2017, at 8:42 PM, Kyle Hamiltonwrote: > > > In other words, it is very unlikely that TLS 1.3 can be implemented > in a binary-compatible manner. It is best if you plan to recompile > your application against the version of the library that implements > TLS 1.3. Unlikely or not, the OpenSSL 1.1.1 release will be binary compatible with 1.1.0 and will support TLS 1.3. There will be new features, but for most appliations, the software and protocol upgrade is transparent. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Query regarding upgrading TLS compatibility
Every new version of TLS requires code to be written. Sometimes it can be implemented in a binary compatible manner, and in those situations you can get the implementation of a new TLS version by simply replacing a DLL or equivalent dynamic library. However, it's much more likely that the implementation requires non-binary-compatible changes, and your application will need to be recompiled against the new version of the library that supports the newest TLS version. In other words, it is very unlikely that TLS 1.3 can be implemented in a binary-compatible manner. It is best if you plan to recompile your application against the version of the library that implements TLS 1.3. -Kyle H On Mon, Apr 3, 2017 at 2:42 AM, Hegde, Harshawrote: > Hi, > > I have an query regarding TLS compatibility used in my application. > Currently we are using TLS1.2 to connect to a third party sever. Is there > any way to always use the highest TLS available version without modifying > or recompiling the application code whenever there is any new version of > TLS released. > > > > > > Thanks & Regards > > Harsha > > __ > Disclaimer: This email and any attachments are sent in strictest confidence > for the sole use of the addressee and may contain legally privileged, > confidential, and proprietary data. If you are not the intended recipient, > please advise the sender by replying promptly to this email and then delete > and destroy this email and any attachments without any further use, copying > or forwarding. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Query regarding upgrading TLS compatibility
> On Apr 3, 2017, at 5:58 PM, Benjamin Kaduk via openssl-users >wrote: > >> I have an query regarding TLS compatibility used in my application. >> Currently we are using TLS1.2 to connect to a third party sever. Is there >> any way to always use the highest TLS available version without modifying or >> recompiling the application code whenever there is any new version of TLS >> released. > > The closest you can come is to use TLS_method() (or the client- or > server-specific version of it), which will prefer the highest version > supported by the library, but also be able to use older versions if needed in > order to interoperate with the peer. It's not entirely clear whether your > question was about restricting to specifically the highest version, to the > exclusion of older versions. I would phrase this more forcefully. The correct way to do exactly what the OP asked for is to use TLS_method() and friends with OpenSSL 1.1.0 or later, or its OpenSSL 1.0.x equivalents SSLv23_method() and friends. https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_new.html TLS is downgrade-resistant, so there's no need to restrict to just the most recent version. Just disable all the obsolete versions that have exposure to known attacks, currently SSLv2 and SSLv3. Already with TLS 1.0 negotiation to the highest mutually supported version should not be subject to downgrade attacks. However, if all the expected peers support TLS 1.2, one can also disable TLS 1.0 and TLS 1.1. https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_options.html -- Viktor. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Query regarding upgrading TLS compatibility
On 04/03/2017 04:42 AM, Hegde, Harsha wrote: > > Hi, > > I have an query regarding TLS compatibility used in my application. > Currently we are using TLS1.2 to connect to a third party sever. Is > there any way to always use the highest TLS available version without > modifying or recompiling the application code whenever there is any > new version of TLS released. > > The closest you can come is to use TLS_method() (or the client- or server-specific version of it), which will prefer the highest version supported by the library, but also be able to use older versions if needed in order to interoperate with the peer. It's not entirely clear whether your question was about restricting to specifically the highest version, to the exclusion of older versions. -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users