I would like to update the configuration of OpenSSL 1.0.2 (specifically 1.0.2k-fips as found on AWS's Amazon Linux 2 AMIs), so that any client using OpenSSL refuses TLSv1.1, TLSv1, or anything lower that is not TLSv1.2.
I have learned that for OpenSSL 1.1+ the OpenSSL config file (e.g., /etc/pki/tls/openssl.cnf on Amazon Linux 2, or /usr/lib/ssl/openssl.cnf on Debian derivatives, or whatever $OPENSSL_CONF points to), one can specify openssl_conf -> a section with ssl_conf -> a section with system_default -> a section with MinProtocol=TLSv1.2.
However, that ssl_conf syntax is unknown in OpenSSL 1.0.2k, and instead it tries to load libssl_conf.so which fails because that shared library does not exist.
So my question: Is it possible to configure OpenSSL 1.0.2 to fail if one tries to use TLSv1.1 or below? At least if the openssl binary tries, or any Python code that I don't control using the ssl module for Python 3.9 or lower?
Additional information: At least on Amazon Linux 2 with OpenSSL 1.0.2k-fips, using grep I cannot even find the string MinProtocol in any OpenSSL 1.0.2 related binary or shared library. (But it does occur in an OpenSSL 1.1.1s libssl.so.1.1 that is shipped with an agent I happened to have on that same AL2 system.)
So that confirms my suspicion that the answer to my question is: No, this is not possible.
For the record, as a self-answer (to replace an answer that was deleted for looking ChatGPT-generated): OpenSSL 1.0.2 does not support configuring allowed SSL/TLS protocol versions or cipher suites through its configuration file.
Evidence:
MinProtocol.ssl_conf configuration seems to have been added OpenSSL 1.1.0, per e.g. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918727. And the system_default configuration inside of ssl_conf is automatically applied since OpenSSL 1.1.1, per commit 8a5ed9dc "Apply system_default configuration on SSL_CTX_new()." It is those features, apparently, that make it possible to put TLS configurations in the OpenSSL config file ($OPENSSL_CONF with a distro-specific default), in addition to calling some OpenSSL API.could not load the shared library:dso_dlfcn.c:187:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory.(As ChatGPT pointed out, there are various ways where a cooperating client can give OpenSSL such settings, e.g., via its API, via the openssl command line, or via Python's ssl default SSL context; but that was not the point of this question.)