Reputation: 373
How to set up SSL protocols priority in OpenSSL
I am implementing an SSL Client using OpenSSL which (1) only "speaks" TLS 1.2, TLS 1.1 and TLS 1.0, (2) set exactly this priority: TLS 1.2. If communication is not possible, use TLS 1.1. If not, TLS 1.0. If not, refuse connection.
I achieve (1) by using
SSL_CTX_set_options(m_ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
But I don't know any way to achieve (2). Is there any "elegant" way to do this in OpenSSL or do I have to attempt several connections checking if communication was possible and, if not, attempt a lower protocol version?
Thanks.
Upvotes: 1
Views: 3361
Answers (1)
Reputation: 123260
There is no protocol priority setting. The client will announce the best version it can do to the server and the server will pick this or a lower version. If the version picked by the server is not supported by the client then the handshake will fail. This is not specific to OpenSSL but this is how SSL/TLS works.
Don't confuse this handshake between client and server with the TLS downgrading mechanism most browsers use. In this case browsers retry the SSL handshake on a new TCP connection with a lower version if the handshake with the better version failed. This behavior is to work around broken SSL/TLS implementations. These downgrades are mostly restricted to browsers, simpler TLS stacks are less tolerant and fail permanently if the first handshake failed.
Upvotes: 1
Related Questions
- How to specify server-preferred order of SSL cipher suites for Java?
- Restrict cipher suite selection using Openssl s_server
- Different TLS protocols per server in Nginx
- openssl 1.0.2, how to force server to choose only set of ciphers
- Support SSL and non-SSL on the same port
- Globally disabling protocols in OpenSSL
- OpenSSL let the server and client negotiate the method
- How to make OpenSSL use http instead of https?
- Howto set the TLS Application Data Protocol in OpenSSL
- Support both SSL and non-SSL on the same server port