On Sat, May 17, 2014 at 6:31 AM, AlfaOmega08 <alfaomeg...@gmail.com> wrote: > I had a hard time trying to make a simple HTTPS server with OpenSSL. > However I managed to build it with TLSv1.2 support using the 1.0.2 > beta version. > > The code I use to initialize the context is the following: > > ... > ssl_method = TLSv1_2_server_method(); > ssl_ctx = SSL_CTX_new(ssl_method); > ... > > Unfortunately only latest browsers support TLSv1.2 and documentation > explictly states that using TLS_v1_(1)_server_method will not > gracefully degrade to TLSv1 or SSLv3, and I suppose that the same is > for TLS_V1_2_server_method. Is there any way to have the server > *prefere* TLSv1.2 and degrate to TLSv1.1, TLSv1 and SSLv3 (not SSLv2)?
const SSL_METHOD* method = SSLv23_server_method(); SSL_CTX* ctx = SSL_CTX_new(method); const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; SSL_CTX_set_options(ctx, flags); The flags will get you TLS 1.0 and above. The library will do the right thing and attempt to use the highest protocol version. There's not reason for SSLv3 in 2014. > Also I share the created ssl_ctx among all connections received (the > server fork()s just after SSL_accept). Is this problematic in any way? No, its not problematic. See "Fetch reference count for SSL_CTX?", https://groups.google.com/d/msg/mailing.openssl.users/MknY0buHRBo/8AxZNnQ_jcUJ Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
