Re: [openssl-users] Query regarding upgrading TLS compatibility

[Viktor Dukhovni]

> On Apr 3, 2017, at 8:42 PM, Kyle Hamilton  wrote:
> 
> 
> In other words, it is very unlikely that TLS 1.3 can be implemented
> in a binary-compatible manner.  It is best if you plan to recompile
> your application against the version of the library that implements
> TLS 1.3.

Unlikely or not, the OpenSSL 1.1.1 release will be binary compatible
with 1.1.0 and will support TLS 1.3.  There will be new features, but
for most appliations, the software and protocol upgrade is transparent.


-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Query regarding upgrading TLS compatibility

[Kyle Hamilton]

Every new version of TLS requires code to be written.  Sometimes it can be
implemented in a binary compatible manner, and in those situations you can
get the implementation of a new TLS version by simply replacing a DLL or
equivalent dynamic library.  However, it's much more likely that the
implementation requires non-binary-compatible changes, and your application
will need to be recompiled against the new version of the library that
supports the newest TLS version.

In other words, it is very unlikely that TLS 1.3 can be implemented in a
binary-compatible manner.  It is best if you plan to recompile your
application against the version of the library that implements TLS 1.3.

-Kyle H

On Mon, Apr 3, 2017 at 2:42 AM, Hegde, Harsha 
wrote:

> Hi,
>
> I have an query regarding TLS compatibility used in my application.
> Currently we are using TLS1.2 to connect to a third party sever. Is there
> any way to always use the highest TLS available version without modifying
> or recompiling the application code whenever there is any new version of
> TLS released.
>
>
>
>
>
> Thanks & Regards
>
> Harsha
>
> __
> Disclaimer: This email and any attachments are sent in strictest confidence
> for the sole use of the addressee and may contain legally privileged,
> confidential, and proprietary data. If you are not the intended recipient,
> please advise the sender by replying promptly to this email and then delete
> and destroy this email and any attachments without any further use, copying
> or forwarding.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Query regarding upgrading TLS compatibility

[Viktor Dukhovni]

> On Apr 3, 2017, at 5:58 PM, Benjamin Kaduk via openssl-users 
>  wrote:
> 
>> I have an query regarding TLS compatibility used in my application. 
>> Currently we are using TLS1.2 to connect to a third party sever. Is there 
>> any way to always use the highest TLS available version without modifying or 
>> recompiling the application code whenever there is any new version of TLS 
>> released.
> 
> The closest you can come is to use TLS_method() (or the client- or 
> server-specific version of it), which will prefer the highest version 
> supported by the library, but also be able to use older versions if needed in 
> order to interoperate with the peer.  It's not entirely clear whether your 
> question was about restricting to specifically the highest version, to the 
> exclusion of older versions.

I would phrase this more forcefully.  The correct way to do exactly what the
OP asked for is to use TLS_method() and friends with OpenSSL 1.1.0 or later,
or its OpenSSL 1.0.x equivalents SSLv23_method() and friends.

https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html
https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_new.html

TLS is downgrade-resistant, so there's no need to restrict to just
the most recent version.  Just disable all the obsolete versions that
have exposure to known attacks, currently SSLv2 and SSLv3.

Already with TLS 1.0 negotiation to the highest mutually supported
version should not be subject to downgrade attacks.  However, if
all the expected peers support TLS 1.2, one can also disable TLS 1.0
and TLS 1.1.

  https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html
  https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_options.html

-- 
Viktor.



-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Query regarding upgrading TLS compatibility

[Benjamin Kaduk via openssl-users]

On 04/03/2017 04:42 AM, Hegde, Harsha wrote:
>
> Hi,
>
> I have an query regarding TLS compatibility used in my application.
> Currently we are using TLS1.2 to connect to a third party sever. Is
> there any way to always use the highest TLS available version without
> modifying or recompiling the application code whenever there is any
> new version of TLS released.
>
>

The closest you can come is to use TLS_method() (or the client- or
server-specific version of it), which will prefer the highest version
supported by the library, but also be able to use older versions if
needed in order to interoperate with the peer.  It's not entirely clear
whether your question was about restricting to specifically the highest
version, to the exclusion of older versions.

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users