Hi Gerhard, I have been playing with those options myself and your scenario should work. Try using s_server -no_ssl2 -no_ssl3 -no_tls1 -no_tls1_1 in conjunction with s_client -tls1_1. This sets exactly the options you indicate and it fails to connect.
It's not clear from your code, but make sure you are setting those options on the SSL_CTX before you create an SSL session from that context. Erik .................................... Erik Tkal Juniper OAC/UAC/Pulse Development From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jahn, Gerhard Sent: Friday, August 31, 2012 5:33 AM To: 'openssl-users@openssl.org' Subject: SSL_CTX_set_options not working for SSL_OP_NO_TLSv1_1 Hello, I'm usinng OpenSSL 1.0.1c in my Server application. This application can be configured to disallow accepting certain SSL/TLS protocols. If only TLS1.2 shall be allowed, the application calls meth=(SSL_METHOD*) SSLv23_server_method(); OpenSSLctx=SSL_CTX_new(meth); ..... SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_SSLv2); // never use SSL2 if (!allowed_ssl3) SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_SSLv3); if (!allowed_tls1) SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_TLSv1); if (!allowed_tls11) SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_TLSv1_1); if (!allowed_tls12) SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_TLSv1_2); .... In the case where: allowed_ssl3 = allowed_tls1 = allowed_tls11 = FALSE and allowed_tls12 = TRUE I'd expect that I cannot establish a TLS11 connection, but it does Same is true if only SSLv3 or TLSv10 is allowed. Am I doing something wrong? Mit freundlichen Grüßen/Regards [cid:image001.jpg@01CD8791.C41153D0] Gerhard Jahn Tel.: +49 (89) 636-44657 Tel.: +49 (211) 399 22891 Fax: +49 (89) 636-45860 mailto:gerhard.j...@atos.net Otto-Hahn-Ring 6 81739 München, Deutschland Germany atos.net [cid:image002.jpg@01CD8791.C41153D0] Atos IT Solutions and Services GmbH Geschäftsführung: Winfried Holz, Udo Littke; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. Atos IT Solutions and Services GmbH, Legal Form: Limited Liability Company [GmbH]; Managing Directors: Winfried Holz, Udo Littke; Chairman of the Supervisory Board: Charles Dehelly; Registered Office: Munich, Germany; District Court: Munich, HRB 184933.
<<inline: image001.jpg>>
<<inline: image002.jpg>>