c++sslopensslssl-certificatepoodle-attack

How would i support multiple version of TLS on client side?


Hi I want to support multiple version's of TLS using SSLV23 method on client side.But I am not able to connect getting error :

SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Can anyone please tell me how would i support multiple version of TLS using openssl?

Code Snippet for SSLV23(Not Working)

cctx = SSL_CTX_new(SSLv23_client_method());
  if(cctx) {
  SSL_CTX_set_options(cctx, SSL_OP_NO_SSLv3);
  }

For Only TLS V1 (Working)

cctx = SSL_CTX_new(TLSv1_client_method());

Solution

  • Based on your tags and comments, I assume you want only TLS connections. The clients should initiate only TLS connections. If so, why do you insist on SSLv23_client_method? But the following did send out TLS 1.0 client hello in my test:

    ctx = SSL_CTX_new(SSLv23_client_method());
    SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3);
    

    To prevent POODLE attack, the best would be to completely disable SSL3 support on client and servers. In your case you mentioned that the servers support only TLS. Hence there is no need for backward compatibility with clients on SSL3 In case the server does talk SSL3, to prevent POODLE attack, client and server should implement TLS fallback signaling Cipher Suite Value- https://datatracker.ietf.org/doc/html/draft-ietf-tls-downgrade-scsv-05

    Examples of setting up TLS on client side:

    /* Exclude SSLv2 and SSLv3 */
    ctx = SSL_CTX_new(TLSv1_client_method());
    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
    SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3);
    
    /* Exclude SSLv2, SSLv3 and TLS 1.0 */
    
     ctx = SSL_CTX_new(TLSv1_1_client_method());
     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
     SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3);
     SSL_CTX_set_options(ctx,SSL_OP_NO_TLSv1);
    
    /* Exclude SSLv2, SSLv3 ,TLS 1.0 and TLS 1.1 */
    
       ctx = SSL_CTX_new(TLSv1_2_client_method());
       SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
       SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3);
       SSL_CTX_set_options(ctx,SSL_OP_NO_TLSv1);
       SSL_CTX_set_options(ctx,SSL_OP_NO_TLSv1_1);
    

    You can also OR the options and pass on to SSL_CTX_set_options in one go.