Description of problem: MinProtocol / MaxProtocol doesn't set TLS/DTLS limits separately. Version-Release number of selected component (if applicable): openssl-1.1.1k-1.fc34.x86_64 How reproducible: always Context: figuring out what to write in the policy file to fix bz1934600 Steps to Reproduce: $ openssl req -x509 -newkey rsa:3072 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=localhost" 2>/dev/null $ unbuffer openssl s_server --key key.pem --cert cert.pem -dtls1_2 --accept 3333 & $ cp /etc/crypto-policies/back-ends/opensslcnf.config /etc/crypto-policies/back-ends/opensslcnf.config.bak $ cat > /etc/crypto-policies/back-ends/opensslcnf.config << EOF MinProtocol = DTLSv1 MaxProtocol = DTLSv1 MinProtocol = TLSv1 MaxProtocol = TLSv1 EOF sleep 1 openssl s_client -dtls --connect localhost:3333 Actual results: DTLSv1.2 is used Expected results: Connection fails Additional info: * if I remove or hoist up the TLS Min/MaxProtocol lines, DTLS limits are applied correctly, but then the TLS limits get unset (TLSv1.3 is used) * setting the limit through -max_protocol seems to work ok (adding a -max_protocol TLSv1.2 doesn't change DTLS limits)
This is how you do it: DTLS.MinProtocol = DTLSv1 DTLS.MaxProtocol = DTLSv1 TLS.MinProtocol = TLSv1 TLS.MaxProtocol = TLSv1 Please note the prefixes before the '.' are irrelevant, just need to be different.
Oh, so that's how one sets them! Thanks a lot, Tomas.