Re: OpenSSL 1.0.1b: TLS disabling, renegotiation, etc

Wed, 02 May 2012 13:31:27 -0700 

On Wed, May 02, 2012, Phil Pennock wrote:

> Folks,
> 
> With OpenSSL 1.0.1b installed (FreeBSD), I made a couple of changes to
> Exim HEAD; one was to set SSL_MODE_AUTO_RETRY on the SSL_CTX used for
> accepting connections, so that renegotiation might theoretically work
> now.  (I mention this so as to clarify that renegotiation will likely
> not work with any *released* version of Exim).
> 
> The other was to update a couple of bits of code to handle support for
> TLS1.1/1.2.  If anyone cares:
>   https://github.com/Exim/exim/commit/c80c557026f3933b0472b13331924f8bd4ed9bf7
> (and yes, the string conversion can probably be better handled with more
> recent versions of OpenSSL via SSL_get_version(); I'm assuming the
> handling inside Exim is because of some historical API limitation).
> 
> I've had to disable STARTTLS on port 25 because of interop problems from
> other senders.  I'm hoping for pointers to what sort of things might be
> going wrong and how I should be tackling them, please.
> 
> Problem 1: given:
>   tls_require_ciphers = 
> ALL:!SSLv2:!LOW:!EXPORT:!EDH:!ADH:!aNULL:!NULL:!DES:@STRENGTH
>   openssl_options = -all +no_tlsv1_1 +no_tlsv1_2
> then on connection with { s_client -starttls smtp } I see:
>   64304 SMTP<< STARTTLS
>   64304 openssl option, removing from 800: 80000bff (all)
>   64304 openssl option, adding from 0: 10000000 (no_tlsv1_1)
>   64304 openssl option, adding from 10000000: 8000000 (no_tlsv1_2)
>   64304 setting SSL CTX options: 0x18000000
> 
> and looking at <openssl/ssl.h>:
>   #define SSL_OP_NO_TLSv1_2                               0x08000000L
>   #define SSL_OP_NO_TLSv1_1                               0x10000000L
> 
> So I know that the context has the correct options set.
> 
> But s_client is negotiating TLS1.2.  What am I likely doing wrong here,
> please?
> 

Can't reproduce that behaviour with s_server/s_client, it correctly negotiates
TLS 1.0 with those options.

Only thing I can think of is setting options in the parent ctx after calling
SSL_new but if I read your code correctly that's not it.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to