Hi. On Wed, Sep 06, 2017 at 09:57:09AM +0200, to...@tuxteam.de wrote: > On Tue, Sep 05, 2017 at 11:40:46PM +0200, Sven Hartge wrote: > > Michael Grant <mgr...@grant.org> wrote: > > > > > Is there something I can set on Debian side to force this newer > > > openssl to accept older 1.x connections? > > > > No, you can't. > > > > Kurt Roeckx, the DD maintaining OpenSSL, patched it in such a way that a > > program needs to call a special function of OpenSSL to override the > > default minimum TLS-version of TLS1.2. > > > > Problem is: next to no program implements this as of yet. > > Isn't there any LD_PRELOAD [1] [2] [3] trick one could play? I mean > interposing something between the executable and the lib to slightly > modify the lib's default behaviour?
There'll be once someone writes it. Maybe I'll do it this weekend. Looking at tls1_2_default.patch from Debian's openssl, the only thing that needs to be done is to override this change: @@ -2372,7 +2372,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) goto err; ret->method = meth; - ret->min_proto_version = 0; + if (meth->version == TLS_ANY_VERSION) + ret->min_proto_version = TLS1_2_VERSION; + else + ret->min_proto_version = 0; ret->max_proto_version = 0; ret->session_cache_mode = SSL_SESS_CACHE_SERVER; ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; I.e. intercept a call to SSL_CTX_new, set meth->version to, say TLS1_0_VERSION and call a real SSL_CTX_new. I'll need it anyway once buster becomes stable as I'm forced to use a certain cirrus IMAP server which only advertises TLS 1.0. Reco