Menu
We are having a Linux C program making use of OpenSSL APIs, acting as a TLS server. It currently has code as:
context = SSL_CTX_new(TLS_method());
Which the OpenSSL v1.1.1 manual page says will support SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3. While we now have a new requirement to only support TLS 1.3. Will setting SSL_CTX_set_min_proto_version(TLS1_3_VERSION) just do the trick? Or is there other practical way for the server to reject client connections with version lower than TLS 1.3?
Thanks much.
245
TLS 1.2 is supported on OpenSSL version v1. 0.1 or later. If your OpenSSL version is below that version, then you'll need to upgrade your OpenSSL package.
TLS 1.3 protocol has improved latency over older versions, has several new features, and is currently supported in both Chrome (starting with release 66), Firefox (starting with release 60), and in development for Safari and Edge browsers.
OpenSSL has implemented support for five TLSv1. 3 ciphersuites as follows: TLS13-AES-256-GCM-SHA384.
New security ciphers: TLS 1.3 uses new security ciphers and is not compatible with the old ones. Removed weak security: Weak security encryption has been removed and will not work with TLS 1.3 e.g., MD5, RC4 etc.
Calling SSL_CTX_set_min_proto_version(context, TLS1_3_VERSION); is all that is needed. This restricts sessions created from this context to not use versions of TLS below 1.3.
Also, you can use TLS_server_method to create a context object that will create sessions that default to server mode.
75
Another solution similar to the one already posted is to use SSL_CTX_set_options
Which allows you to pass all protocols you want to ignore such as
SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
