Jump to content
nSolvePaul

sslOpt_NO_TLSv1 seems to have no effect

Recommended Posts

A client reports that allow TLSv1.0 is a security issue. So I set my SslOptions accordingly:

 

            m_pSslContext->SslOptions = m_pSslContext->SslOptions
                                        << sslOpt_NO_SSLv2     
                                        << sslOpt_NO_SSLv3     
                                        << sslOpt_NO_TLSv1     
                                        << sslOpt_CIPHER_SERVER_PREFERENCE      //When choosing a cipher, use the server's preferences instead of the client preferences.
                                        << sslOpt_SINGLE_DH_USE;      //single DH needed for perfect forward secrecy

 

However I'm still getting a TLSv1.0 connection (using 'openssl s_client -connect mywebsite.com:22017 -tls1')

 

What is the correct manner to disable a TLSv1.0 connection (and any tips on how to prove I've disabled it please)

Thanks

Share this post


Link to post

For public servers, the best SSL test is https://www.ssllabs.com/ssltest/ which gives a long report on which protocols and ciphers are supported and recommends changes.  With the ICS V8.60 and later, ICS servers should get an A+ rating providing you also have certain HTTP headers to block exploits. 

 

For private servers, you can use the latest ICS HTTPS client samples that allow disabling certain protocols and you can then try and connect to your server.  The quickest way is to download the pre-build Browser demo application from http://wiki.overbyte.eu/arch/FrameBrowserIcs.zip which is a simple browser (no scripting) with extensive HTTP, HTML and SSL logging that allows you to set SSL Security to one of:

 

SSLv3 Only
TLSv1 Only
TLSv1.1 Only
TLSv1.2 Only
TLSv1.3 Only
TLSv1 or Better
TLSv1.1 or Better
TLSv1.2 or Better
Backward Ciphers
Intermediate Ciphers
High Ciphers, 2048 keys
High Ciphers, 3072 keys
High Ciphers, 7680 keys
 

In fact all ICS clients now have the same options in SslContext. 

 

Servers are more complicated, but again with V8.60 and later, you can set:

 

SSLv3 Only
Backward Ciphers, TLS1 or Later
Intermediate Ciphers, TLS1.1 or Later
Intermediate Ciphers FS, TLS1.1 or Later
High 112 bit Ciphers, TLS1.2 or Later
High 128 bit Ciphers, TLS1.2 or Later
High 192 bit Ciphers, TLS1.2 or Later
TLSv1.2 or Earlier
TLSv1.3 Only
 

provided your server is using IcsHosts.  If not, V8.27 (two years ago) added SslContext properties SslMinVersion and SslMaxVersion which is what you should be using, not the old options.

 

Angus

 

 

Edited by Angus Robertson
  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×