ssl - OpenSSL let the server and client negotiate the method -


following outdated tutorial managed create https server using openssl tls1.2, , i'm proud of ;)

however tls 1.2 supported in latest browsers , have kind of negotiation of protocol between client , server, i'm sure can done, i'm not able find how! if client supports tls1.0, use that. , if supports sslv3, use that. not sure sslv2, maybe better leave that...

the code use right is:

ssl_library_init(); openssl_add_all_algorithms(); ssl_load_error_strings(); ssl_method = tlsv1_2_server_method(); ssl_ctx = ssl_ctx_new(ssl_method);

then server certificates loaded , ssl_ctx shared among connections. when client accepted server socket encapsulated in ssl object (whatever represents):

ssl = ssl_new(ssl_ctx); ssl_set_fd(ssl, client_socket); ssl_accept(ssl);

so guess has changed in ssl_ctx creation allow more methods... idea?

<rant> no decent, extensive documentation can found openssl, best available 10 years old tutorial! </rant>

thanks in advance.

you using sslv23_method() (and friends) instead of specific method (e.g. tlsv1_2_server_method() in example). sends sslv2 clienthello specifies highest protocol supported. outdated man page says:

sslv23_method(void), sslv23_server_method(void), sslv23_client_method(void)

a tls/ssl connection established these methods understand sslv2, sslv3, , tlsv1 protocol. client send out sslv2 client hello messages , indicate understands sslv3 , tlsv1. server understand sslv2, sslv3, , tlsv1 client hello messages. best choice when compatibility concern.

this online man page doesn't discuss newer tlsv1_1 , tlsv1_2 protocols, verified in 1.0.1g source of s23_clnt.c sslv23_method() includes them.

you limit protocols accept ssl_ctx_set_options():

the list of protocols available can later limited using ssl_op_no_sslv2, ssl_op_no_sslv3, ssl_op_no_tlsv1 options of ssl_ctx_set_options() or ssl_set_options() functions. using these options possible choose e.g. sslv23_server_method() , able negotiate possible clients, allow newer protocols sslv3 or tlsv1.

note, however, can't enable arbitrary sets of protocols, contiguous protocols in sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2. example, can't choose sslv3 , tlsv1_1, omitting tlsv1. comment in source explains why:

ssl_op_no_x disables protocols above x if there protocols below x enabled. required in order maintain "version capability" vector contiguous. if application wants disable tls1.0 in favour of tls1>=1, insufficient pass ssl_no_tlsv1, answer ssl_op_no_tlsv1|ssl_op_no_sslv3|ssl_op_no_sslv2.


-

Comments

Post a Comment

Popular posts from this blog

how to proxy from https to http with lighttpd -

i have internal site (192.168.2.1) accessible http on different server run public web-server using lighttpd. can make internal site accessible outside work follows $http["host"] == "internal.example.com" { ... proxy.server = ( "" => ( "internal" => ( "host" => "192.168.2.1", "port" => 8000 ) ) } this works, use https outside world. question is, how can proxy going https http ? i've tried this: $server["socket"] == ":443" { $http["host"] == "internal.example.com" { ... proxy.server = ( "" => ( "internal" => ( "host" => "http://192.168.2.1", "port" => 8000 ) ) } } but doesn't seem wor...
Read more

android - Automated my builds -

i have multiple app , android project want automated in build , release sequence. have ant script build , create apk of app. want have 1 script or ant file start build sequence app. maybe don't konw search, can't find easy documentation on ant. the point of use jenkins ant (or maven, i'm not sure of difference between them now) automated build sequence when people commit on project. any int appreciated maven dependencies (over ant) don't need pass around jars. recommend maven on ant day. syntax , overall process easier understand, @ end of both build tools. if able to, more recommend upgrading gradle. easy create different build types , create them ./gradlew assemble here project jake wharton can see power of gradle. there release , debug build, can make lot more if like. https://github.com/jakewharton/u2020 here android docs gradle http://tools.android.com/tech-docs/new-build-system/user-guide . if can't find looking here, check out main grad...
Read more

python - Flask migration error -

i've got application build on flask , wanted create new migration today. when run $python manage.py db upgrade i got message raise util.commanderror('only single head supported. ' alembic.util.commanderror: single head supported. script directory has multiple heads (due branching), must resolved manually editing revision files form linear sequence. run alembic branches see divergence(s). so run command $alembic branches no config file 'alembic.ini' found, or file has no '[alembic]' section any clue on about? the error messages coming alembic, use command form alembic <command> , integrating flask coming flask-migrate, need use form python manage.py db branches . to resolve multiple branches, make 1 of branches point down other branch upgrade graph straight line. see alembic's docs on branches: http://alembic.readthedocs.org/en/latest/branches.html
Read more