On 07/12/2015 11:52, zosrothko wrote:
Hi Jacob
Le 18/09/2015 19:34, Jakob Bohm a écrit :
On 18/09/2015 18:05, zosrothko wrote:
Hi
is there a way to know the supported TLS protocols from the
OPENSSL_VERSION_NUMBER (specifically, the TLSv1_1 and TLSv1_2?
For exemple, I have a code that is using TLSv1_1_client_method &
TLSv1_1_server_method for a OPENSSL_VERSION_NUMBER = 0x1000201fL, but
I need to protect those TLSv1_1 and TLSv1_2 entry points references
when my code is ported toward a previous version of OpenSSL that does
not support those TLS versions as the 1.0.0k version .
Since there is no OPEN_SSL_NO_TLSv1_1 constant nor
OPEN_SSL_NO_TLSv1_2 constant in the ssl.h(1.0.0k), I would like to
use the OPENSSL_VERSION_NUMBER to protect the references.
The numeric value of OPENSSL_VERSION_NUMBER maps directly
to the textual version number ("1.0.0k"), a look in the
official changelogs for each branch (0.9.8, 1.0.0, 1.0.1,
1.0.2, 1.1.0 etc.) to see at which comparison limits any given
feature was installed.
Or, since you are using the version number of the header
files, not the version of the runtime shared library, you
can simply use ifdef tests for relevant defines existing,
e.g.
#if defined(SSL_OP_NO_TLSv1_1) && !defined(OPENSSL_NO_TLS1)
/* SSL_OP_NO_TLSv1_1 is defined in ssl.h if the library version
* supports TLSv1.1 .
*
* OPENSSL_NO_TLS1 is defined in opensslconf.h or on the
* compiler command line if TLS1.x was removed at OpenSSL
* library build time via Configure options.
*/
/* Code that requires headers from a TLSv1.1 capable OpenSSL
* goes here.
*/
#endif
I saw that in ssl.h, the 'NO' particule means no support of as for example
/* Don't use RFC4507 ticket extension */
# define SSL_OP_NO_TICKET 0x00004000L
What does mean the 'NO' in SSL_OP_NO_TLSv1_1? Should not be the test
reversed as below?
The define is for a flag that can be passed to some other SSL functions
to turn off the TLSv1_1 support during a single execution, hence the
"NO" in its name.
Because those flags are only defined in OpenSSL versions that include
the thing to turn off (at least if not disabled when compiling OpenSSL
itself), I suggested using the very existence of the flag definition
as a way to determine if the thing is included in the OpenSSL version
where the copy of "ssl.h" was taken from.
#if !defined(SSL_OP_NO_TLSv1_1) && !defined(OPENSSL_NO_TLS1)
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users