CODEWITHSUNDEEP
c++sslboostopensslboost-asio
Gediminas Masaitis
Gediminas Masaitis

Reputation: 3212

How to make Boost::asio SSL server accept both TLS 1.1 and TLS 1.2?

I'm trying to get my SSL server to support both TLS 1.1 and TLS 1.2, while not supporting earlier versions.

This is how I configure my SSL context:

// Here io is an instance of io_service
boost::asio::ssl::context ctx(io, boost::asio::ssl::context::tlsv12_server);

ctx.use_certificate_chain_file("./certs.pem");
ctx.use_private_key_file("./key.pem", ssl::context::pem);

SSL_CTX_set_cipher_list(ctx.native_handle(), "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS");

ctx.set_options(boost::asio::ssl::context::default_workarounds
                | boost::asio::ssl::context::no_sslv2
                | boost::asio::ssl::context::no_sslv3
                | boost::asio::ssl::context::no_tlsv1
                | boost::asio::ssl::context::single_dh_use
                | SSL_OP_CIPHER_SERVER_PREFERENCE);

ctx.clear_options(boost::asio::ssl::context::no_tlsv1_1);

// Creating socket:
using ssl_socket = boost::asio::ssl::stream<boost::asio::ip::tcp::socket>;
auto sock = std::make_unique<ssl_socket>(io, ctx);

I even tried to clear the no_tlsv1_1 option, if it was somehow being set by default. Even if I reduce the configuration to:

ctx.use_certificate_chain_file("./certs.pem");
ctx.use_private_key_file("./key.pem", ssl::context::pem);

when trying to connect with a TLS 1.1 client, the async_handshake callback still gives an error code asio.ssl:336109835, wrong version number. When connecting with a TLS 1.2 client, everything works fine.

If when constructing the SSL context I change the second parameter from tlsv12_server to tlsv11_server then TLS 1.1 works fine, but TLS 1.2 becomes unavailable.

I've tried Boost versions 1.54 and 1.65.1 and openssl versions 1.0.2g and 1.0.2l, seems to be the case on all of them. Running Linux Mint 18.2

What should I do to allow both TLS 1.1 and TLS 1.2?

Upvotes: 5

Views: 7659

Answers (1)

Gediminas Masaitis
Gediminas Masaitis

Reputation: 3212

I managed to figure it out myself. The method tlsv12_server that I was passing in when constructing the context is not the maximum nor minimum supported version, the method is the exact protocol that will be used.

If you want to use multiple protocols, there are special methods for that, for example tls_server, which doesn't specify a version and enables TLS 1.0, 1.1 and 1.2. Then to disable 1.0, the boost::asio::ssl::context::no_tlsv1 option works fine, leaving only 1.1 and 1.2 enabled.

Upvotes: 12

Related Questions