TLS v1.1
Hi All, Does anyone in openssl-dev know of any plans to add TLS v1.1 support to OpenSSL in the near future? If so do you know when and how might I get in touch? Kind regards, Brandt
Re: TLS v1.1
On Fri, Jan 29, 2010, Brandt Springman wrote: > > Does anyone in openssl-dev know of any plans to add TLS v1.1 support to > OpenSSL in the near future? If so do you know when and how might I get > in touch? > TLS v1.1 is already supported in an experimental state in OpenSSL 1.1.0-dev. Since 1.0.0 is in beta and feature freeze it wont be added to there. It will be backported to 1.0.1 when that is released. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[PATCH] Disable RC4 for TLS v1.1+ (server-side).
(this was originally sent to rt@, but it never made it through)
Hello,
considering that RC4 is pretty much broken by now, I don't think there
is a good reason for using it in TLS v1.1+.
Attached patch stops servers from negotiating RC4-based cipher suites
on connections using TLS v1.1+. This is mostly RFC and not something
ready to be committed, because users should (or maybe not?) be able to
tweak this via SSL{,_CTX}_set_options(). However, it seems that all
the option values are already taken and I'm not in the position to
decide if this is more important than any of the existing options.
Best regards,
Piotr Sikora
openssl_1_0_1__disable_rc4.patch
Description: Binary data
openssl_1_0_2__disable_rc4.patch
Description: Binary data
RE: [PATCH] Disable RC4 for TLS v1.1+ (server-side).
While no longer using RC4 might be a good idea, I'm not certain that OpenSSL
should /force/ it as long as the cipher is still a valid choice.
This seems like a job for SSL_CTX_set_cipher_list
(http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html). A good server
would be calling this anyway since (at least according to the docs at
http://www.openssl.org/docs/apps/ciphers.html) the default cipher list is
ALL:!aNULL:!eNULL. I could even conceive of turning of RC4 by default, but you
should probably let people turn it back on if they have it in their cipher list.
Patrick Watson
-Original Message-
From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On
Behalf Of Piotr Sikora
Sent: Monday, February 03, 2014 5:45 PM
To: openssl-dev@openssl.org
Subject: [PATCH] Disable RC4 for TLS v1.1+ (server-side).
(this was originally sent to rt@, but it never made it through)
Hello,
considering that RC4 is pretty much broken by now, I don't think there is a
good reason for using it in TLS v1.1+.
Attached patch stops servers from negotiating RC4-based cipher suites on
connections using TLS v1.1+. This is mostly RFC and not something ready to be
committed, because users should (or maybe not?) be able to tweak this via
SSL{,_CTX}_set_options(). However, it seems that all the option values are
already taken and I'm not in the position to decide if this is more important
than any of the existing options.
Best regards,
Piotr Sikora
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Re: [PATCH] Disable RC4 for TLS v1.1+ (server-side).
Hello Patrick,
> While no longer using RC4 might be a good idea, I'm not certain that OpenSSL
> should /force/ it as long as the cipher is still a valid choice.
Agreed, that's why I wrote it should be an SSL{,_CTX}_set_options()
option, but there are no unused values to do that.
> This seems like a job for SSL_CTX_set_cipher_list
> (http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html). A good server
> would be calling this anyway since (at least according to the docs at
> http://www.openssl.org/docs/apps/ciphers.html) the default cipher list is
> ALL:!aNULL:!eNULL. I could even conceive of turning of RC4 by default, but
> you should probably let people turn it back on if they have it in their
> cipher list.
The main point of this patch is to disable RC4 only for connections
using TLS v1.1+ and keep it around for connections using TLS v1.0 to
protect against the BEAST attack. Currently, there is no way to
specify different cipher suites for different protocols, so yo cannot
achieve that with SSL{,_CTX}_set_cipher_list.
Best regards,
Piotr Sikora
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
