On 08/07/2020 17:48, Klaus Umbach via openssl-users wrote:
> On 08.07.20 12:21, Viktor Dukhovni wrote:
>> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:
>>
>>> On 08/07/2020 16:28, Viktor Dukhovni wrote:
>>>>> How could I set the a System default "MinProtocol" for DTLS and TLS to
>>>>> 1.2?
>>>>
>>>> AFAIK, that's not presently possible. You can specify application
>>>> profiles, for applications that specify an application name when
>>>> initializing OpenSSL. Or use the OPENSSL_CONF environment variable to
>>>> select an alternative configuration file for DTLS applications.
>>>
>>> Arguably, that is a bug. You *should* be able to do that - perhaps based
>>> on some sensible mapping between TLS protocol versions based on whether
>>> we have a DTLS or TLS based SSL_METHOD.
>
> Should I open an issue at https://github.com/openssl/openssl/issues?
Yes please.
> But for my personal problem right now (openconnect uses TLS and DTLS, so
> even if it would set an application name I couldn't set a "proper"
> setting), until this bug is fixed, I use this now:
>
> # MinProtocol = TLSv1.2
> Protocol = -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1.2
Looks sane - although do you also mean to disable DTLSv1? Perhaps for
safety you should also disable SSLv3 (although support for it is not
built by default anyway).
Matt