Hi Erik, I still can connect via TLS1.1
I try:
OpenSSL> version
OpenSSL 1.0.1b 26 Apr 2012
OpenSSL>
OpenSSL> s_server -no_ssl2 -no_ssl3 -no_tls1 -no_tls1_1 -accept 636 -debug -msg
-state -cert e:\OpenSSL\c-examples\server_rsa.pem -cipher RSA
Enter pass phrase for e:\OpenSSL\c-examples\server_rsa.pem:
Loading 'screen' into random state - done
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
Now I start the client
OpenSSL> s_client -connect myserver:636 -tls1_1
Loading 'screen' into random state - done
CONNECTED(00000364)
depth=0 O = My-Company, OU = DirX-Example, OU = DirX8.2, CN = dirxldapv3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = My-Company, OU = DirX-Example, OU = DirX8.2, CN = dirxldapv3
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = My-Company, OU = DirX-Example, OU = DirX8.2, CN = dirxldapv3
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=My-Company/OU=DirX-Example/OU=DirX8.2/CN=dirxldapv3
i:/O=My-Company/OU=DirX-Example/CN=test-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC9zCCAeCgAwIBAgICAKEwDQYJKoZIhvcNAQEFBQAwPjETMBEGA1UEChMKTXkt
Q29tcGFueTEVMBMGA1UECxMMRGlyWC1FeGFtcGxlMRAwDgYDVQQDEwd0ZXN0LUNB
MB4XDTExMDcxMzEyMDk1MFoXDTIxMDcxMDEyMDk0OVowUzETMBEGA1UEChMKTXkt
Q29tcGFueTEVMBMGA1UECxMMRGlyWC1FeGFtcGxlMRAwDgYDVQQLEwdEaXJYOC4y
MRMwEQYDVQQDEwpkaXJ4bGRhcHYzMIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKB
gAD4f3o1I36SI/XfEWqHlvqFhIASBClepEgU0hWu+OuZvH0AEokngTBTGJErd93C
E4dAFddVvZ6qDXGvYCme4VPfr9VrpS+EcraAL7+0qlWsIFHBSi98ZEhT1sD3HO/r
5dcIOOMmqMxMLmzuEYrACTdMWt58UwCfCFq4IvCatK5hAgMBAAGjcDBuMB0GA1Ud
DgQWBBQjHDHZyctiBo3v3jDkWE6O5obvwjAfBgNVHSMEGDAWgBRfFYKlg1D6vaq4
wBcw6YiNBdf4HTAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADARBglghkgBhvhC
AQEEBAMCAEAwDQYJKoZIhvcNAQEFBQADggEAAEAM3uRuX2zOXvFXC6QAjhw8TzjC
+PFb1tvXAtJzVBYwgHrHPFMfLzrn4ZyMxUhFNY0vrbQBB+d6+zGIvHaKercSNTZD
VrhI5AEPXz3c4MzPwDIJuWZIBth5EinL99pcoy/8NiBbATbgw0bBlqTHfL3KvQEj
fdhZQ7eB7LX9xDZfzdABNy2eQQdjiinn1/eZQQf1knIq7kYwU841FhmPr4pzn0A7
dA0pd5bxfb5Vwhe8CXVv5EJNTFfOR430+L1AnPq9svPjRyTutTKePYK8HXPRAvyd
3rob/mHzKhQoCGLDuUo7d9GTEwOGzs4L9tkrIFv6WqT55K0xqNjwViOrBQ==
-----END CERTIFICATE-----
subject=/O=My-Company/OU=DirX-Example/OU=DirX8.2/CN=dirxldapv3
issuer=/O=My-Company/OU=DirX-Example/CN=test-CA
---
No client certificate CA names sent
---
SSL handshake has read 1100 bytes and written 440 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1016 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : AES256-SHA
Session-ID: B381784F69E8CB800770B1E8BF90200027B8612DDFCD51782B62675038ECC0CE
Session-ID-ctx:
Master-Key:
9E20FFC8EA4550EAD225CBAA7D59FD654DB9658B6C08C70487E7A9B46C2A6850316478FAB394924529AEB8FB6E15353C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 35 e5 37 a3 b6 d5 24 07-0a 6b ef fa d9 ff 5f 7c 5.7...$..k...._|
0010 - 78 08 34 8d 07 15 7c ba-f8 6c 06 e0 02 e2 18 eb x.4...|..l......
0020 - f9 05 2b 4f 59 a1 58 53-a6 eb 51 36 1a a2 c4 d4 ..+OY.XS..Q6....
0030 - e4 b9 d4 70 ed 08 c9 44-f2 9e 51 3a c7 03 72 39 ...p...D..Q:..r9
0040 - 1e cc e4 4f fc 3a ea 99-41 41 cd 95 ca 0f ed bc ...O.:..AA......
0050 - 5d 36 d4 4a 7e 7f 16 96-bf 51 36 a0 22 bd ab 54 ]6.J~....Q6."..T
0060 - e0 0c 29 7f 01 a9 15 bd-6f 42 af 4d 2a 9d 3d b5 ..).....oB.M*.=.
0070 - 8e b3 06 4f 0f 44 53 a8-79 25 04 cd 08 aa c0 be ...O.DS.y%......
0080 - 2b 24 c7 4a d4 2b 49 6d-69 46 db 67 c6 55 ab d9 +$.J.+ImiF.g.U..
0090 - bf 93 49 f5 ff 2c 07 10-3f 32 f4 49 4d e6 b7 27 ..I..,..?2.IM..'
Start Time: 1346661046
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
closed
OpenSSL>
Mit freundlichen Grüßen/Regards
Gerhard Jahn
Tel.: +49 (89) 636-44657
Fax: +49 (89) 636-45860
mailto:gerhard.j...@atos.net
Otto-Hahn-Ring 6
81739 München, Deutschland
Germany
atos.net
Geschäftsführer: Christian Oecking (Vorsitzender), Martin Bentler,
Rainer-Christian Koppitz, Thomas Zimmermann;
Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB
184933
Seit 1. Juli 2011 gehört Siemens IT Solutions and Services GmbH zu AtoS.
Since July 1st, 2011 Siemens IT Solutions and Services GmbH belongs to AtoS.
Wichtiger Hinweis: Diese E-Mail und etwaige Anlagen enthalten
firmenvertrauliche Informationen. Sollten Sie diese E-Mail irrtümlich erhalten
haben, benachrichtigen Sie uns bitte durch Antwort-Mail und löschen Sie diese
E-Mail nebst Anlagen von Ihrem System. Vielen Dank.
Important notice: This e-mail and any attachment thereof contain corporate
proprietary information. If you have received it by mistake, please notify us
immediately by reply e-mail and delete this e-mail and its attachments from
your system. Thank you.
________________________________
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Erik Tkal
Sent: Friday, August 31, 2012 10:01 PM
To: openssl-users@openssl.org
Subject: RE: SSL_CTX_set_options not working for SSL_OP_NO_TLSv1_1
Hi Gerhard,
I have been playing with those options myself and your scenario should work.
Try using s_server –no_ssl2 –no_ssl3 –no_tls1 –no_tls1_1 in conjunction with
s_client –tls1_1. This sets exactly the options you indicate and it fails to
connect.
It’s not clear from your code, but make sure you are setting those options on
the SSL_CTX before you create an SSL session from that context.
Erik
....................................
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Jahn, Gerhard
Sent: Friday, August 31, 2012 5:33 AM
To: 'openssl-users@openssl.org'
Subject: SSL_CTX_set_options not working for SSL_OP_NO_TLSv1_1
Hello,
I'm usinng OpenSSL 1.0.1c in my Server application.
This application can be configured to disallow accepting certain SSL/TLS
protocols.
If only TLS1.2 shall be allowed, the application calls
meth=(SSL_METHOD*) SSLv23_server_method();
OpenSSLctx=SSL_CTX_new(meth);
…..
SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_SSLv2); // never use SSL2
if (!allowed_ssl3)
SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_SSLv3);
if (!allowed_tls1)
SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_TLSv1);
if (!allowed_tls11)
SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_TLSv1_1);
if (!allowed_tls12)
SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_TLSv1_2);
….
In the case where:
allowed_ssl3 = allowed_tls1 = allowed_tls11 = FALSE and allowed_tls12 =
TRUE
I'd expect that I cannot establish a TLS11 connection, but it does
Same is true if only SSLv3 or TLSv10 is allowed.
Am I doing something wrong?
Mit freundlichen Grüßen/Regards
[cid:788453208@03092012-3200]
Gerhard Jahn
Tel.: +49 (89) 636-44657
Tel.: +49 (211) 399 22891
Fax: +49 (89) 636-45860
mailto:gerhard.j...@atos.net
Otto-Hahn-Ring 6
81739 München, Deutschland
Germany
atos.net
[cid:788453208@03092012-3207]
Atos IT Solutions and Services GmbH
Geschäftsführung: Winfried Holz, Udo Littke; Vorsitzender des Aufsichtsrats:
Charles Dehelly;
Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB
184933.
Atos IT Solutions and Services GmbH, Legal Form: Limited Liability Company
[GmbH];
Managing Directors: Winfried Holz, Udo Littke; Chairman of the Supervisory
Board: Charles Dehelly;
Registered Office: Munich, Germany; District Court: Munich, HRB 184933.
<<inline: image001.jpg>>
<<inline: image002.jpg>>
