Bug 1300724 - [RFE] make possible to set minimum TLS version for OpenSSL in configuration file
[RFE] make possible to set minimum TLS version for OpenSSL in configuration file
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssl (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2016-01-21 09:39 EST by David Jaša
Modified: 2018-03-29 09:01 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1527031 (view as bug list)
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Jaša 2016-01-21 09:39:52 EST
Description of problem:
Most of openssl-based programs use just SSLv23_method() in order to listen or connect using all supported protocols. When there is a requirement to limit the available protocols (e.g. as a response to vulnerability like BEAST or POODLE), the only way to do that is to rebuild all the affected apps (if they don't already have a mechanism to set SSL_CTX_set_min_proto_version() on their own).

It would be beneficial to have a mechanism for this in openssl proper that would expose SSL_CTX_set_min_proto_version() setting to the user, trough the openssl.cnf config file (or maybe through environment variable)

Version-Release number of selected component (if applicable):
RHEL 7.2 / openssl-1.0.1e-51.el7_2.2.x86_64

How reproducible:

Steps to Reproduce:
1. have a simple openssl-based server and client app using just SSL_CTX_new(SSLv23_methog())
2. enforce minimum protocol version without modifying app itself

Actual results:
no way to achieve the result without application modification or application-specific setting mechanism

Expected results:
openssl has a common way to set minimum protocol

Additional info:
similar setting would be beneficial for cipher whitelist/blacklist

Note You need to log in before you can comment on or make changes to this bug.