nSolvePaul 0 Posted May 22, 2019 A client reports that allow TLSv1.0 is a security issue. So I set my SslOptions accordingly: m_pSslContext->SslOptions = m_pSslContext->SslOptions << sslOpt_NO_SSLv2 << sslOpt_NO_SSLv3 << sslOpt_NO_TLSv1 << sslOpt_CIPHER_SERVER_PREFERENCE //When choosing a cipher, use the server's preferences instead of the client preferences. << sslOpt_SINGLE_DH_USE; //single DH needed for perfect forward secrecy However I'm still getting a TLSv1.0 connection (using 'openssl s_client -connect mywebsite.com:22017 -tls1') What is the correct manner to disable a TLSv1.0 connection (and any tips on how to prove I've disabled it please) Thanks Share this post Link to post
Angus Robertson 577 Posted May 22, 2019 (edited) For public servers, the best SSL test is https://www.ssllabs.com/ssltest/ which gives a long report on which protocols and ciphers are supported and recommends changes. With the ICS V8.60 and later, ICS servers should get an A+ rating providing you also have certain HTTP headers to block exploits. For private servers, you can use the latest ICS HTTPS client samples that allow disabling certain protocols and you can then try and connect to your server. The quickest way is to download the pre-build Browser demo application from http://wiki.overbyte.eu/arch/FrameBrowserIcs.zip which is a simple browser (no scripting) with extensive HTTP, HTML and SSL logging that allows you to set SSL Security to one of: SSLv3 Only TLSv1 Only TLSv1.1 Only TLSv1.2 Only TLSv1.3 Only TLSv1 or Better TLSv1.1 or Better TLSv1.2 or Better Backward Ciphers Intermediate Ciphers High Ciphers, 2048 keys High Ciphers, 3072 keys High Ciphers, 7680 keys In fact all ICS clients now have the same options in SslContext. Servers are more complicated, but again with V8.60 and later, you can set: SSLv3 Only Backward Ciphers, TLS1 or Later Intermediate Ciphers, TLS1.1 or Later Intermediate Ciphers FS, TLS1.1 or Later High 112 bit Ciphers, TLS1.2 or Later High 128 bit Ciphers, TLS1.2 or Later High 192 bit Ciphers, TLS1.2 or Later TLSv1.2 or Earlier TLSv1.3 Only provided your server is using IcsHosts. If not, V8.27 (two years ago) added SslContext properties SslMinVersion and SslMaxVersion which is what you should be using, not the old options. Angus Edited May 22, 2019 by Angus Robertson 1 Share this post Link to post
nSolvePaul 0 Posted May 24, 2019 Setting SslMinVersion sorted it - thank you Share this post Link to post