Secure Renegotiation is not supported OpenSSL issue

Question

I have a requirement to connect to a Microsoft Dynamics CRM server from a RedHat Linux server. The address is xxx.api.crm4.dynamics.com. The server accepts TLSv1 but not 1.1 or 1.2 and does not offer renegotiation. In order to maintain my RedHat server with the most up to date patches especially around Heartbleed I need to upgrade to a more recent version of OpenSSL. However, this then enables TLSv1.2 on the RedHat server.

Is there a way to configure OpenSSL to not use TLSv1.2 and TLSv1.1 in outbound communications?

Answer 1

Is there a way to configure OpenSSL to not use TLSv1.2 and TLSv1.1 in outbound communications?

The protocol version is negotiated for both inbound and outbound. Its part of the ClientHello. While a server can use a lesser protocol version than the client advertises, you can't mix and match.

OpenSSL allows you to define OPENSSL_NO_TLS1, but I believe that kills all TLS, and not just TLS 1.1 and TLS 1.2.

Some Linux distributions disable TLS 1.2 on the client by default. For example, Ubuntu does this for 12 and 13. They do it via OpenSSL's OPENSSL_NO_TLS1_2_CLIENT:

$ /usr/bin/openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Jun  2 19:37:18 UTC 2014
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
   -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4
   -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2
   -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT
   -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2
   -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM
   -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
   -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

---

Secure Renegotiation is not supported OpenSSL issue

This is your question's title and its a separate issue. What's your question?

---

EDIT (from comments):

I am connecting from a RedHat server where we have patched SSL for Heartbleed and so starts any handshake by trying to negoitate with TLSv1.2. As such the receiving server doesn't respond.

I don't think that has to do with secure renegotiation (but I could be wrong).

Here's how to do it programmatically. You won't need to compile OpenSSL again. But you will need to compile your program again.

Here's how to do it with a method (notice the use of TLSv1_method()):

/* https://www.openssl.org/docs/ssl/SSL_CTX_new.html */
const SSL_METHOD* method = TLSv1_method();
ASSERT(NULL != method);

/* http://www.openssl.org/docs/ssl/ctx_new.html */
ctx = SSL_CTX_new(method);
ASSERT(NULL != ctx);
...

Or, you can do it with flags:

/* https://www.openssl.org/docs/ssl/SSL_CTX_new.html */
const SSL_METHOD* method = SSLv23_method();
ASSERT(NULL != method);

/* http://www.openssl.org/docs/ssl/ctx_new.html */
ctx = SSL_CTX_new(method);
ASSERT(ctx != NULL);

/* https://www.openssl.org/docs/ssl/ctx_set_verify.html */
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
/* Cannot fail ??? */

/* Remove the most egregious. Because SSLv2 and SSLv3 have been      */
/* removed, a TLSv1.0 handshake is used. The client accepts TLSv1.0  */
/* and above. An added benefit of TLS 1.0 and above are TLS          */
/* extensions like Server Name Indicatior (SNI).                     */
long flags = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
     flags |= SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;

long old_opts = SSL_CTX_set_options(ctx, flags);
UNUSED(old_opts);
...

I prefer the flags method so I can disable broken protocols (like SSLv2) and broken features (like compression). The flags method also allows me to specify "TLS 1.0 and above" (i.e., SSLv23_method() with SSL_OP_NO_*), rather than just TLS 1.0 (i.e., using TLS1_method()).

---

JW] I don't think that has to do with secure renegotiation (but I could be wrong).

In case I was wrong, here's how secure renegotiation works: a pseudo-cipher suite is inserted in the ClientHello. A regular cipher suite is like TLS_RSA_WITH_AES_256_CBC_SHA. The pseudo suite used is TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

If the server cannot handle TLS_EMPTY_RENEGOTIATION_INFO_SCSV, then I believe the server needs to be upgraded.

I don't know if there's a client option to work (like a SSL_OP_* flag) around because I refuse to work with broken servers. I think you can downgrade to OpenSSL 0.9.8, but I don't recommend it.