Hi Erik, I still can connect via TLS1.1
I try: OpenSSL> version OpenSSL 1.0.1b 26 Apr 2012 OpenSSL> OpenSSL> s_server -no_ssl2 -no_ssl3 -no_tls1 -no_tls1_1 -accept 636 -debug -msg -state -cert e:\OpenSSL\c-examples\server_rsa.pem -cipher RSA Enter pass phrase for e:\OpenSSL\c-examples\server_rsa.pem: Loading 'screen' into random state - done Using default temp DH parameters Using default temp ECDH parameters ACCEPT Now I start the client OpenSSL> s_client -connect myserver:636 -tls1_1 Loading 'screen' into random state - done CONNECTED(00000364) depth=0 O = My-Company, OU = DirX-Example, OU = DirX8.2, CN = dirxldapv3 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 O = My-Company, OU = DirX-Example, OU = DirX8.2, CN = dirxldapv3 verify error:num=27:certificate not trusted verify return:1 depth=0 O = My-Company, OU = DirX-Example, OU = DirX8.2, CN = dirxldapv3 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/O=My-Company/OU=DirX-Example/OU=DirX8.2/CN=dirxldapv3 i:/O=My-Company/OU=DirX-Example/CN=test-CA --- Server certificate -----BEGIN CERTIFICATE----- MIIC9zCCAeCgAwIBAgICAKEwDQYJKoZIhvcNAQEFBQAwPjETMBEGA1UEChMKTXkt Q29tcGFueTEVMBMGA1UECxMMRGlyWC1FeGFtcGxlMRAwDgYDVQQDEwd0ZXN0LUNB MB4XDTExMDcxMzEyMDk1MFoXDTIxMDcxMDEyMDk0OVowUzETMBEGA1UEChMKTXkt Q29tcGFueTEVMBMGA1UECxMMRGlyWC1FeGFtcGxlMRAwDgYDVQQLEwdEaXJYOC4y MRMwEQYDVQQDEwpkaXJ4bGRhcHYzMIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKB gAD4f3o1I36SI/XfEWqHlvqFhIASBClepEgU0hWu+OuZvH0AEokngTBTGJErd93C E4dAFddVvZ6qDXGvYCme4VPfr9VrpS+EcraAL7+0qlWsIFHBSi98ZEhT1sD3HO/r 5dcIOOMmqMxMLmzuEYrACTdMWt58UwCfCFq4IvCatK5hAgMBAAGjcDBuMB0GA1Ud DgQWBBQjHDHZyctiBo3v3jDkWE6O5obvwjAfBgNVHSMEGDAWgBRfFYKlg1D6vaq4 wBcw6YiNBdf4HTAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADARBglghkgBhvhC AQEEBAMCAEAwDQYJKoZIhvcNAQEFBQADggEAAEAM3uRuX2zOXvFXC6QAjhw8TzjC +PFb1tvXAtJzVBYwgHrHPFMfLzrn4ZyMxUhFNY0vrbQBB+d6+zGIvHaKercSNTZD VrhI5AEPXz3c4MzPwDIJuWZIBth5EinL99pcoy/8NiBbATbgw0bBlqTHfL3KvQEj fdhZQ7eB7LX9xDZfzdABNy2eQQdjiinn1/eZQQf1knIq7kYwU841FhmPr4pzn0A7 dA0pd5bxfb5Vwhe8CXVv5EJNTFfOR430+L1AnPq9svPjRyTutTKePYK8HXPRAvyd 3rob/mHzKhQoCGLDuUo7d9GTEwOGzs4L9tkrIFv6WqT55K0xqNjwViOrBQ== -----END CERTIFICATE----- subject=/O=My-Company/OU=DirX-Example/OU=DirX8.2/CN=dirxldapv3 issuer=/O=My-Company/OU=DirX-Example/CN=test-CA --- No client certificate CA names sent --- SSL handshake has read 1100 bytes and written 440 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1016 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.1 Cipher : AES256-SHA Session-ID: B381784F69E8CB800770B1E8BF90200027B8612DDFCD51782B62675038ECC0CE Session-ID-ctx: Master-Key: 9E20FFC8EA4550EAD225CBAA7D59FD654DB9658B6C08C70487E7A9B46C2A6850316478FAB394924529AEB8FB6E15353C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 35 e5 37 a3 b6 d5 24 07-0a 6b ef fa d9 ff 5f 7c 5.7...$..k...._| 0010 - 78 08 34 8d 07 15 7c ba-f8 6c 06 e0 02 e2 18 eb x.4...|..l...... 0020 - f9 05 2b 4f 59 a1 58 53-a6 eb 51 36 1a a2 c4 d4 ..+OY.XS..Q6.... 0030 - e4 b9 d4 70 ed 08 c9 44-f2 9e 51 3a c7 03 72 39 ...p...D..Q:..r9 0040 - 1e cc e4 4f fc 3a ea 99-41 41 cd 95 ca 0f ed bc ...O.:..AA...... 0050 - 5d 36 d4 4a 7e 7f 16 96-bf 51 36 a0 22 bd ab 54 ]6.J~....Q6."..T 0060 - e0 0c 29 7f 01 a9 15 bd-6f 42 af 4d 2a 9d 3d b5 ..).....oB.M*.=. 0070 - 8e b3 06 4f 0f 44 53 a8-79 25 04 cd 08 aa c0 be ...O.DS.y%...... 0080 - 2b 24 c7 4a d4 2b 49 6d-69 46 db 67 c6 55 ab d9 +$.J.+ImiF.g.U.. 0090 - bf 93 49 f5 ff 2c 07 10-3f 32 f4 49 4d e6 b7 27 ..I..,..?2.IM..' Start Time: 1346661046 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- closed OpenSSL> Mit freundlichen Grüßen/Regards Gerhard Jahn Tel.: +49 (89) 636-44657 Fax: +49 (89) 636-45860 mailto:gerhard.j...@atos.net Otto-Hahn-Ring 6 81739 München, Deutschland Germany atos.net Geschäftsführer: Christian Oecking (Vorsitzender), Martin Bentler, Rainer-Christian Koppitz, Thomas Zimmermann; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933 Seit 1. Juli 2011 gehört Siemens IT Solutions and Services GmbH zu AtoS. Since July 1st, 2011 Siemens IT Solutions and Services GmbH belongs to AtoS. Wichtiger Hinweis: Diese E-Mail und etwaige Anlagen enthalten firmenvertrauliche Informationen. Sollten Sie diese E-Mail irrtümlich erhalten haben, benachrichtigen Sie uns bitte durch Antwort-Mail und löschen Sie diese E-Mail nebst Anlagen von Ihrem System. Vielen Dank. Important notice: This e-mail and any attachment thereof contain corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank you. ________________________________ From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Erik Tkal Sent: Friday, August 31, 2012 10:01 PM To: openssl-users@openssl.org Subject: RE: SSL_CTX_set_options not working for SSL_OP_NO_TLSv1_1 Hi Gerhard, I have been playing with those options myself and your scenario should work. Try using s_server –no_ssl2 –no_ssl3 –no_tls1 –no_tls1_1 in conjunction with s_client –tls1_1. This sets exactly the options you indicate and it fails to connect. It’s not clear from your code, but make sure you are setting those options on the SSL_CTX before you create an SSL session from that context. Erik .................................... Erik Tkal Juniper OAC/UAC/Pulse Development From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jahn, Gerhard Sent: Friday, August 31, 2012 5:33 AM To: 'openssl-users@openssl.org' Subject: SSL_CTX_set_options not working for SSL_OP_NO_TLSv1_1 Hello, I'm usinng OpenSSL 1.0.1c in my Server application. This application can be configured to disallow accepting certain SSL/TLS protocols. If only TLS1.2 shall be allowed, the application calls meth=(SSL_METHOD*) SSLv23_server_method(); OpenSSLctx=SSL_CTX_new(meth); ….. SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_SSLv2); // never use SSL2 if (!allowed_ssl3) SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_SSLv3); if (!allowed_tls1) SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_TLSv1); if (!allowed_tls11) SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_TLSv1_1); if (!allowed_tls12) SSL_CTX_set_options(OpenSSLctx, SSL_OP_NO_TLSv1_2); …. In the case where: allowed_ssl3 = allowed_tls1 = allowed_tls11 = FALSE and allowed_tls12 = TRUE I'd expect that I cannot establish a TLS11 connection, but it does Same is true if only SSLv3 or TLSv10 is allowed. Am I doing something wrong? Mit freundlichen Grüßen/Regards [cid:788453208@03092012-3200] Gerhard Jahn Tel.: +49 (89) 636-44657 Tel.: +49 (211) 399 22891 Fax: +49 (89) 636-45860 mailto:gerhard.j...@atos.net Otto-Hahn-Ring 6 81739 München, Deutschland Germany atos.net [cid:788453208@03092012-3207] Atos IT Solutions and Services GmbH Geschäftsführung: Winfried Holz, Udo Littke; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. Atos IT Solutions and Services GmbH, Legal Form: Limited Liability Company [GmbH]; Managing Directors: Winfried Holz, Udo Littke; Chairman of the Supervisory Board: Charles Dehelly; Registered Office: Munich, Germany; District Court: Munich, HRB 184933.
<<inline: image001.jpg>>
<<inline: image002.jpg>>