相关文章推荐
酒量小的春卷  ·  TLS ...·  2 周前    · 
孤独的橙子  ·  28,verilog中的字符串表示_veri ...·  9 月前    · 
仗义的青蛙  ·  利用VBA实现多工作表数据查找 - 知乎·  1 年前    · 
旅行中的包子  ·  pickle & cPickle ...·  1 年前    · 
Code  ›  c++ - How would i support multiple version of TLS on client side? - Stack Overflow
tls
https://stackoverflow.com/questions/29779526/how-would-i-support-multiple-version-of-tls-on-client-side
直爽的小摩托
1 年前
Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

Hi I want to support multiple version's of TLS using SSLV23 method on client side.But I am not able to connect getting error :

SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Can anyone please tell me how would i support multiple version of TLS using openssl?

Code Snippet for SSLV23(Not Working) 

cctx = SSL_CTX_new(SSLv23_client_method());
  if(cctx) {
  SSL_CTX_set_options(cctx, SSL_OP_NO_SSLv3);

For Only TLS V1 (Working)


cctx = SSL_CTX_new(TLSv1_client_method());
                Actually we want to disable sslv3 on our client side and enable TLS protocols,but if my server will support only TLS v1.2 or TLS v1.1 or TLS v1 how would i provide that functionality on client side?
– mahan07
                Apr 21, 2015 at 17:54
                why don't you just use TLSv1_client_method() ? BTW, the same code you showed did result in TLS1.0 connection in my test.
– Prabhu
                Apr 21, 2015 at 18:31
                Use SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 as the context option. You should probably disable compression with SSL_OP_NO_COMPRESSION. Since you are using TLS 1.0 and above, you should also set the server name for SNI. Also see SSL/TLS Client on the OpenSSL wiki.
– jww
                Apr 21, 2015 at 19:40
                @Prabhu - "why don't you just use TLSv1_client_method()" - TLS 1.2 is most secure of all of them, so it would probably be best to not exclude it.
– jww
                Apr 21, 2015 at 19:42

Based on your tags and comments, I assume you want only TLS connections. The clients should initiate only TLS connections. If so, why do you insist on SSLv23_client_method? But the following did send out TLS 1.0 client hello in my test:


ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3);

To prevent POODLE attack, the best would be to completely disable SSL3 support on client and servers. In your case you mentioned that the servers support only TLS. Hence there is no need for backward compatibility with clients on SSL3
In case the server does talk SSL3, to prevent POODLE attack, client and server should implement TLS fallback signaling Cipher Suite Value- https://datatracker.ietf.org/doc/html/draft-ietf-tls-downgrade-scsv-05


Examples of setting up TLS on client side:


/* Exclude SSLv2 and SSLv3 */
ctx = SSL_CTX_new(TLSv1_client_method());
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3);
/* Exclude SSLv2, SSLv3 and TLS 1.0 */
 ctx = SSL_CTX_new(TLSv1_1_client_method());
 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
 SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3);
 SSL_CTX_set_options(ctx,SSL_OP_NO_TLSv1);
/* Exclude SSLv2, SSLv3 ,TLS 1.0 and TLS 1.1 */
   ctx = SSL_CTX_new(TLSv1_2_client_method());
   SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
   SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3);
   SSL_CTX_set_options(ctx,SSL_OP_NO_TLSv1);
   SSL_CTX_set_options(ctx,SSL_OP_NO_TLSv1_1);

You can also OR the options and pass on to SSL_CTX_set_options in one go.

                Your answer could be misunderstood in that way that something's wrong with SSLv23_client_method(). In OpenSSL 1.0.2 it is a general purpose call with protocol fallback. You can use all SSL_OP_NO_* options. See man page.
– reichhart
                Jun 8, 2019 at 0:07
                I agree with @reichart - this answer is largely incorrect.  The TLSv1*_client_method calls don't do what Prabhu thinks.  It locks the protocol to that version of TLS.  What you want is to use is SSLv23_client_method (surprise!) since that negotiates up to the best method supported by both client and server.  SSLv2 is disabled by default, so you just need to disable SSLv3.  In other words, you want exactly the code OP had when he started.  There must be some other bug in OP's code which is not listed.
– Haydentech
                Jul 11, 2019 at 15:16
        
Thanks for contributing an answer to Stack Overflow!
  • Please be sure to answer the question. Provide details and share your research!
But avoid
  • Asking for help, clarification, or responding to other answers.
  • Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
 
推荐文章
酒量小的春卷  ·  TLS 握手优化详解_tls认证过程耗时-CSDN博客
2 周前
孤独的橙子  ·  28,verilog中的字符串表示_verilog 如何表示字符-CSDN博客
9 月前
仗义的青蛙  ·  利用VBA实现多工作表数据查找 - 知乎
1 年前
旅行中的包子  ·  pickle & cPickle ValueError: unsupported pickle protocol: 3 - pprp - 博客园
1 年前
今天看啥   ·   Py中国   ·   codingpro   ·   藏经阁   ·   小百科   ·   link之家   ·   卧龙AI搜索
删除内容请联系邮箱 2879853325@qq.com
Code - 代码工具平台
© 2024 ~ 沪ICP备11025650号