On 12/11/2012 02:44 AM, Alex Chen wrote:
I want to set up SSL so it does not use SSL v2 or older, just like that
Apache has in its httpd-ssl.conf
SSLProtocol all -SSLv2
What is the equivalent API to do this?
After reviewing existing documentation and code, I came up with this:
// Configure a client connection context. Send a hendshake for the
// highest supported TLS version, and disable compression.
const SSL_METHOD *const req_method = SSLv23_client_method();
SSL_CTX *const ctx = SSL_CTX_new(req_method);
if (ctx == NULL) {
ERR_print_errors(bio_err);
exit(1);
}
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);
(Error handling is only exploratory, of course.)
With version 1.0.0j, this sends a TLS 1.0 hello, and with 1.0.1c, a TLS
1.2 hello.
--
Florian Weimer / Red Hat Product Security Team
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
