How would i support multiple version of TLS on client side? - McMap

About

How would i support multiple version of TLS on client side?

Asked 21/4, 2015 at 17:44 Answered 21/4, 2015 at 19:22

Solved c++ssl openssl ssl-certificate poodle-attack

K

1

6

Hi I want to support multiple version's of TLS using SSLV23 method on client side.But I am not able to connect getting error :

SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Can anyone please tell me how would i support multiple version of TLS using openssl?

Code Snippet for SSLV23(Not Working)

cctx = SSL_CTX_new(SSLv23_client_method());
  if(cctx) {
  SSL_CTX_set_options(cctx, SSL_OP_NO_SSLv3);
  }

For Only TLS V1 (Working)

cctx = SSL_CTX_new(TLSv1_client_method());

Keratosis answered 21/4, 2015 at 17:44 Comment(6)

What context are you using this in? – Pavel 21/4, 2015 at 17:48

Actually we want to disable sslv3 on our client side and enable TLS protocols,but if my server will support only TLS v1.2 or TLS v1.1 or TLS v1 how would i provide that functionality on client side? – Keratosis 21/4, 2015 at 17:54

why don't you just use TLSv1_client_method() ? BTW, the same code you showed did result in TLS1.0 connection in my test. – Coster 21/4, 2015 at 18:31

Use SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 as the context option. You should probably disable compression with SSL_OP_NO_COMPRESSION. Since you are using TLS 1.0 and above, you should also set the server name for SNI. Also see SSL/TLS Client on the OpenSSL wiki. – Nihility 21/4, 2015 at 19:40

@Coster - "why don't you just use TLSv1_client_method()" - TLS 1.2 is most secure of all of them, so it would probably be best to not exclude it. – Nihility 21/4, 2015 at 19:42

Thanks @jww,you are the saviour,Now i am able to support all the three TLS protocols using the code cctx = SSL_CTX_new(SSLv23_client_method()); const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; SSL_CTX_set_options(cctx, flags); – Keratosis 22/4, 2015 at 4:55

C

8

Based on your tags and comments, I assume you want only TLS connections. The clients should initiate only TLS connections. If so, why do you insist on SSLv23_client_method? But the following did send out TLS 1.0 client hello in my test:

ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3);

To prevent POODLE attack, the best would be to completely disable SSL3 support on client and servers. In your case you mentioned that the servers support only TLS. Hence there is no need for backward compatibility with clients on SSL3 In case the server does talk SSL3, to prevent POODLE attack, client and server should implement TLS fallback signaling Cipher Suite Value- https://datatracker.ietf.org/doc/html/draft-ietf-tls-downgrade-scsv-05

Examples of setting up TLS on client side:

/* Exclude SSLv2 and SSLv3 */
ctx = SSL_CTX_new(TLSv1_client_method());
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3);

/* Exclude SSLv2, SSLv3 and TLS 1.0 */

 ctx = SSL_CTX_new(TLSv1_1_client_method());
 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
 SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3);
 SSL_CTX_set_options(ctx,SSL_OP_NO_TLSv1);

/* Exclude SSLv2, SSLv3 ,TLS 1.0 and TLS 1.1 */

   ctx = SSL_CTX_new(TLSv1_2_client_method());
   SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
   SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3);
   SSL_CTX_set_options(ctx,SSL_OP_NO_TLSv1);
   SSL_CTX_set_options(ctx,SSL_OP_NO_TLSv1_1);

You can also OR the options and pass on to SSL_CTX_set_options in one go.

Coster answered 21/4, 2015 at 19:22 Comment(2)

Your answer could be misunderstood in that way that something's wrong with SSLv23_client_method(). In OpenSSL 1.0.2 it is a general purpose call with protocol fallback. You can use all SSL_OP_NO_* options. See man page. – Condominium 8/6, 2019 at 0:7

I agree with @reichart - this answer is largely incorrect. The TLSv1*_client_method calls don't do what Prabhu thinks. It locks the protocol to that version of TLS. What you want is to use is SSLv23_client_method (surprise!) since that negotiates up to the best method supported by both client and server. SSLv2 is disabled by default, so you just need to disable SSLv3. In other words, you want exactly the code OP had when he started. There must be some other bug in OP's code which is not listed. – Bissau 11/7, 2019 at 15:16

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.