List supported SSL/TLS versions for a specific OpenSSL build
You can not check for version support via command line. Best option would be checking OpenSSL changelog.
Openssl versions till 1.0.0h supports SSLv2, SSLv3 and TLSv1.0. From Openssl 1.0.1 onward support for TLSv1.1 and TLSv1.2 is added.
How to build OpenSSL 1.0 DLLs with less secure TLS protocol versions disabled?
I was able to accomplish my goal by modifying the ssl23_get_client_hello() function in ssl\s23_srvr.c to check the requested version and throw an SSL_R_UNSUPPORTED_PROTOCOL error if it's less than TLS 1.2.
How to list TLS 1.2 ciphersuites im openssl 1.0.2g
The option -tls1 includes TLSv1, TLSv1.1 or TLSv1.2.
The documentation talks about it.
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html
How to get the TLS client supported TLS versions in python ssl
The functionality you're after is available (at least partially) in Python 3.6 (and newer). Check [Python 3]: ssl - TLS/SSL wrapper for socket objects for more details:
>>> import sys
>>> import ssl
>>> "Python {:s} on {:s}".format(sys.version, sys.platform)
'Python 3.6.5 (v3.6.5:f59c0932b4, Mar 28 2018, 17:00:18) [MSC v.1900 64 bit (AMD64)] on win32'
>>> ctx0 = ssl.create_default_context()
>>> ctx0.options
<Options.OP_NO_SSLv3|OP_NO_SSLv2|OP_CIPHER_SERVER_PREFERENCE|OP_SINGLE_DH_USE|OP_SINGLE_ECDH_USE|OP_NO_COMPRESSION|OP_ALL: -2091252737>
For older versions, some code (which also works on newer ones) is required.
code.py:
#!/usr/bin/python3
import sys
import ssl
from pprint import pprint as pp
__PROTO_TAG = "PROTOCOL_"
__OP_NO_TAG = "OP_NO_"
__OP_NO_TAG_LEN = len(__OP_NO_TAG)
_PROTOS_DATA = list()
for item_name in dir(ssl):
if item_name.startswith(__OP_NO_TAG) and item_name[-1].isdigit(): # item_name[-1].isdigit() condition is required because protocol denial (OP_NO_*) constants end in digit(s) (version); therefore constants like OP_NO_TICKET are excluded
op_no_item = getattr(ssl, item_name)
if op_no_item:
proto_name = item_name[__OP_NO_TAG_LEN:]
_PROTOS_DATA.append((proto_name, getattr(ssl, __PROTO_TAG + proto_name, -1), op_no_item))
del __OP_NO_TAG_LEN
del __OP_NO_TAG
del __PROTO_TAG
def get_protocols(ctx):
supported_classes = (ssl.SSLContext,)
if not isinstance(ctx, supported_classes):
raise TypeError("Argument must be an instance of `{:}`".format(supported_classes[0] if len(supported_classes) == 1 else supported_classes))
protocols = list()
for proto_data in _PROTOS_DATA:
if ctx.options & proto_data[-1] != proto_data[-1]:
protocols.append(proto_data[:-1])
return protocols
def print_data(ctx):
print("Options: {:08X} ({!r})".format(ctx.options, ctx.options))
print("Protocols:")
for proto in get_protocols(ctx):
print(" {:s} - {:d}".format(*proto))
print()
def main():
print("{:s}\n".format(ssl.OPENSSL_VERSION))
ctx0 = ssl.create_default_context()
print_data(ctx0)
print("--- Removing TLSv1_1...")
ctx0.options |= ssl.OP_NO_TLSv1_1
print_data(ctx0)
print("--- Adding SSLv3...")
ctx0.options -= ssl.OP_NO_SSLv3 # !!! N.B.: Due to the fact that ssl.OP_NO_* flags only have one bit set, this works, but DON'T DO IT !!!
print_data(ctx0)
print("\nComputed protocols:")
pp([item[:-1] + (hex(item[-1]),) for item in _PROTOS_DATA])
if __name__ == "__main__":
print("Python {:s} on {:s}\n".format(sys.version, sys.platform))
main()
Notes:
- As I worked extensively in this area, I have lots of Python versions on a variety of OSes, built against various OpenSSL versions (as seen in the outputs below)
- Tried to keep everything as general as possible
- Basing the code on (ssl) module attributes only; due to the fact that each Python version is built with a particular OpenSSL version, surprises might arise when using custom combinations (I could hardcode the OP_NO_* constants - which are consistent over OpenSSL versions, but that wouldn't be scalable)
- There is the ssl module implementation (specific to Python version, which relies on a specific OpenSSL version - as stated above), plus the OpenSSL version (which might might not have some stuff) actually used to build the ssl module. That's why running the same code on various combinations, yields (slightly) different results (check outputs below)
- On Win things are simpler, as (by default) OpenSSL is statically linked in _ssl.pyd (starting with Python 3.7, this no longer applies, the OpenSSL .dlls are also shipped as part of Python), but on Nix, the OpenSSL libs (that are installed on the system) are loaded at runtime
Code walkthrough:
_PROTOS_DATA - computed at module import time: it's a list of protocol entries, based on ssl module attributes. Each entry has 3 fields:
- Protocol name
- Protocol identifier in the ssl module (-1 if not present: e.g. SSLv2)
- The OP_NO_ constant used to disable this protocol
It's displayed at the end of each run for clarity
- get_protocols - determines the "active" supported protocols for an
ssl.SSLContext - print_data - helper function
Output:
Win 10 x64
e:\Work\Dev\StackOverflow\q049788677>"C:\Program Files (x86)\Microsoft Visual Studio\Shared\Python36_64\python.exe" code.py
Python 3.6.5 (v3.6.5:f59c0932b4, Mar 28 2018, 17:00:18) [MSC v.1900 64 bit (AMD64)] on win32
OpenSSL 1.0.2k 26 Jan 2017
Options: -7CA5FC01 (<Options.OP_NO_SSLv3|OP_NO_SSLv2|OP_CIPHER_SERVER_PREFERENCE|OP_SINGLE_DH_USE|OP_SINGLE_ECDH_USE|OP_NO_COMPRESSION|OP_ALL: -2091252737>)
Protocols:
TLSv1 - 3
TLSv1_1 - 4
TLSv1_2 - 5
--- Removing TLSv1_1...
Options: -6CA5FC01 (<Options.OP_NO_TLSv1_1|OP_NO_SSLv3|OP_NO_SSLv2|OP_CIPHER_SERVER_PREFERENCE|OP_SINGLE_DH_USE|OP_SINGLE_ECDH_USE|OP_NO_COMPRESSION|OP_ALL: -1822817281>)
Protocols:
TLSv1 - 3
TLSv1_2 - 5
--- Adding SSLv3...
Options: -6EA5FC01 (<Options.OP_NO_TLSv1_1|OP_NO_SSLv2|OP_CIPHER_SERVER_PREFERENCE|OP_SINGLE_DH_USE|OP_SINGLE_ECDH_USE|OP_NO_COMPRESSION|OP_ALL: -1856371713>)
Protocols:
SSLv3 - 1
TLSv1 - 3
TLSv1_2 - 5
Computed protocols:
[('SSLv2', -1, '0x1000000'),
('SSLv3', <_SSLMethod.PROTOCOL_SSLv3: 1>, '0x2000000'),
('TLSv1', <_SSLMethod.PROTOCOL_TLSv1: 3>, '0x4000000'),
('TLSv1_1', <_SSLMethod.PROTOCOL_TLSv1_1: 4>, '0x10000000'),
('TLSv1_2', <_SSLMethod.PROTOCOL_TLSv1_2: 5>, '0x8000000')]
e:\Work\Dev\StackOverflow\q049788677>"e:\Work\Dev\VEnvs\py34x64_test\Scripts\python.exe" code.py
Python 3.4.4 (v3.4.4:737efcadf5a6, Dec 20 2015, 20:20:57) [MSC v.1600 64 bit (AMD64)] on win32
OpenSSL 1.0.2d 9 Jul 2015
Options: -7CFDFC01 (-2097019905)
Protocols:
TLSv1 - 3
TLSv1_1 - 4
TLSv1_2 - 5
--- Removing TLSv1_1...
Options: -6CFDFC01 (-1828584449)
Protocols:
TLSv1 - 3
TLSv1_2 - 5
--- Adding SSLv3...
Options: -6EFDFC01 (-1862138881)
Protocols:
SSLv3 - 1
TLSv1 - 3
TLSv1_2 - 5
Computed protocols:
[('SSLv2', 0, '0x1000000'),
('SSLv3', 1, '0x2000000'),
('TLSv1', 3, '0x4000000'),
('TLSv1_1', 4, '0x10000000'),
('TLSv1_2', 5, '0x8000000')]
e:\Work\Dev\StackOverflow\q049788677>"c:\Install\x64\Python\Python\3.7\python.exe" code.py
Python 3.7.0b4 (v3.7.0b4:eb96c37699, May 2 2018, 19:02:22) [MSC v.1913 64 bit (AMD64)] on win32
OpenSSL 1.1.0h 27 Mar 2018
Options: -7DBDFFAC (<Options.OP_NO_SSLv3|OP_CIPHER_SERVER_PREFERENCE|OP_NO_COMPRESSION|OP_ALL: -2109603756>)
Protocols:
TLSv1 - 3
TLSv1_1 - 4
TLSv1_2 - 5
--- Removing TLSv1_1...
Options: -6DBDFFAC (<Options.OP_NO_TLSv1_1|OP_NO_SSLv3|OP_CIPHER_SERVER_PREFERENCE|OP_NO_COMPRESSION|OP_ALL: -1841168300>)
Protocols:
TLSv1 - 3
TLSv1_2 - 5
--- Adding SSLv3...
Options: -6FBDFFAC (<Options.OP_NO_TLSv1_1|OP_CIPHER_SERVER_PREFERENCE|OP_NO_COMPRESSION|OP_ALL: -1874722732>)
Protocols:
SSLv3 - -1
TLSv1 - 3
TLSv1_2 - 5
Computed protocols:
[('SSLv3', -1, '0x2000000'),
('TLSv1', <_SSLMethod.PROTOCOL_TLSv1: 3>, '0x4000000'),
('TLSv1_1', <_SSLMethod.PROTOCOL_TLSv1_1: 4>, '0x10000000'),
('TLSv1_2', <_SSLMethod.PROTOCOL_TLSv1_2: 5>, '0x8000000')]OSX 9 x64:
cfati@cfati-macosx9x64-1:~/Work/Dev/StackOverflow/q049788677]> python code.py
Python 2.7.10 (default, Oct 14 2015, 05:51:29)
[GCC 4.8.2] on darwin
OpenSSL 1.0.1p-fips 9 Jul 2015
Options: 830203FF (2197947391L)
Protocols:
TLSv1 - 3
TLSv1_1 - 4
TLSv1_2 - 5
()
--- Removing TLSv1_1...
Options: 930203FF (2466382847L)
Protocols:
TLSv1 - 3
TLSv1_2 - 5
()
--- Adding SSLv3...
Options: 910203FF (2432828415L)
Protocols:
SSLv3 - 1
TLSv1 - 3
TLSv1_2 - 5
()
Computed protocols:
[('SSLv2', 0, '0x1000000'),
('SSLv3', 1, '0x2000000'),
('TLSv1', 3, '0x4000000'),
('TLSv1_1', 4, '0x10000000'),
('TLSv1_2', 5, '0x8000000')]Ubtu 16 x64:
[cfati@cfati-ubtu16x64-0:~/Work/Dev/StackOverflow/q049788677]> python3 code.py
Python 3.5.2 (default, Nov 23 2017, 16:37:01)
[GCC 5.4.0 20160609] on linux
OpenSSL 1.0.2g 1 Mar 2016
Options: 830203FF (2197947391)
Protocols:
TLSv1 - 3
TLSv1_1 - 4
TLSv1_2 - 5
--- Removing TLSv1_1...
Options: 930203FF (2466382847)
Protocols:
TLSv1 - 3
TLSv1_2 - 5
--- Adding SSLv3...
Options: 930203FF (2466382847)
Protocols:
TLSv1 - 3
TLSv1_2 - 5
Computed protocols:
[('SSLv2', -1, '0x1000000'),
('SSLv3', -1, '0x2000000'),
('TLSv1', <_SSLMethod.PROTOCOL_TLSv1: 3>, '0x4000000'),
('TLSv1_1', <_SSLMethod.PROTOCOL_TLSv1_1: 4>, '0x10000000'),
('TLSv1_2', <_SSLMethod.PROTOCOL_TLSv1_2: 5>, '0x8000000')]
[cfati@cfati-ubtu16x64-0:~/Work/Dev/StackOverflow/q049788677]>
[cfati@cfati-ubtu16x64-0:~/Work/Dev/StackOverflow/q049788677]> LD_LIBRARY_PATH=../q049493537/Python-3.6.4:../q049320993/ssl/build/lib ../q049493537/Python-3.6.4/python code.py
Python 3.6.4 (default, Mar 28 2018, 23:34:25)
[GCC 5.4.0 20160609] on linux
OpenSSL 1.0.2h-fips 3 May 2016
Options: 835A03FF (<Options.OP_ALL|OP_NO_SSLv3|OP_NO_SSLv2|OP_CIPHER_SERVER_PREFERENCE|OP_SINGLE_DH_USE|OP_SINGLE_ECDH_USE|OP_NO_COMPRESSION: 2203714559>)
Protocols:
TLSv1 - 3
TLSv1_1 - 4
TLSv1_2 - 5
--- Removing TLSv1_1...
Options: 935A03FF (<Options.OP_ALL|OP_NO_TLSv1_1|OP_NO_SSLv3|OP_NO_SSLv2|OP_CIPHER_SERVER_PREFERENCE|OP_SINGLE_DH_USE|OP_SINGLE_ECDH_USE|OP_NO_COMPRESSION: 2472150015>)
Protocols:
TLSv1 - 3
TLSv1_2 - 5
--- Adding SSLv3...
Options: 915A03FF (<Options.OP_ALL|OP_NO_TLSv1_1|OP_NO_SSLv2|OP_CIPHER_SERVER_PREFERENCE|OP_SINGLE_DH_USE|OP_SINGLE_ECDH_USE|OP_NO_COMPRESSION: 2438595583>)
Protocols:
SSLv3 - -1
TLSv1 - 3
TLSv1_2 - 5
Computed protocols:
[('SSLv2', -1, '0x1000000'),
('SSLv3', -1, '0x2000000'),
('TLSv1', <_SSLMethod.PROTOCOL_TLSv1: 3>, '0x4000000'),
('TLSv1_1', <_SSLMethod.PROTOCOL_TLSv1_1: 4>, '0x10000000'),
('TLSv1_2', <_SSLMethod.PROTOCOL_TLSv1_2: 5>, '0x8000000')]
When was TLS 1.2 support added to OpenSSL?
On the official changelog page you provided, under Changes between 1.0.0h and 1.0.1 [14 Mar 2012] you can see Initial TLS v1.2 support.
*) Add TLS v1.2 server support for client authentication.
[Steve Henson]*) Add TLS v1.2 client side support for client authentication. Keep cache
of handshake records longer as we don't know the hash algorithm to use
until after the certificate request message is received.
[Steve Henson]*) Initial TLS v1.2 client support. Add a default signature algorithms
extension including all the algorithms we support. Parse new signature
format in client key exchange. Relax some ECC signing restrictions for
TLS v1.2 as indicated in RFC5246.
[Steve Henson]*) Add server support for TLS v1.2 signature algorithms extension. Switch
to new signature format when needed using client digest preference.
All server ciphersuites should now work correctly in TLS v1.2. No client
support yet and no support for client certificates.
[Steve Henson]*) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
ciphersuites. At present only RSA key exchange ciphersuites work with
TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
and version checking.
[Steve Henson]*) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only a few changes are required [...]
TLS 1.2 support is from OpenSSL version 1.0.1.
OpenSSL 0.9.8x is lower than 1.0.1 so it does not support TLS 1.2
How to tell what SSL/TLS protocol version can be established using certain cipher suite
This is kind of offtopic here as not related to programming. But why concerning yourself about other versions than 1.2 or 1.3?
TLS 1.3 has a very small list of ciphers, separate from all previous ones:
This specification defines the following cipher suites for use with
TLS 1.3.
+------------------------------+-------------+
| Description | Value |
+------------------------------+-------------+
| TLS_AES_128_GCM_SHA256 | {0x13,0x01} |
| | |
| TLS_AES_256_GCM_SHA384 | {0x13,0x02} |
| | |
| TLS_CHACHA20_POLY1305_SHA256 | {0x13,0x03} |
| | |
| TLS_AES_128_CCM_SHA256 | {0x13,0x04} |
| | |
| TLS_AES_128_CCM_8_SHA256 | {0x13,0x05} |
+------------------------------+-------------+
For other versions, a tool like https://github.com/mozilla/cipherscan can help it shows ciphers and which version they apply to.
Or just openssl with the openssl ciphers command, adding the -s parameter and then -tls1, -tls1_1 or -tls1_2.
If you look at its manual you also have lists, look at bottom of https://www.openssl.org/docs/manmaster/man1/ciphers.html
There are a lot of possible ciphers to use in TLSv1.2 but not all are a good idea. Some people try to maintain lists of good parameters, see for example https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations or https://weakdh.org/sysadmin.html
I also recommend you to look at this effort to define a "Long Term Support" TLSv1.2 that is a specification on top of current TLS version 1.2 for people that will not more to 1.3, that tries to improve security by removing everything from TLS v1.2 that was found not to be a good idea, while still being 100% TLS v1.2 conformant.
https://datatracker.ietf.org/doc/draft-gutmann-tls-lts/?include_text=1
This document specifies an update of TLS 1.2 for long-term support on
systems that can have multi-year or even decade-long update cycles,
one that incoporates as far as possible what's already deployed for
TLS 1.2 but with the security holes and bugs fixed.
About ciphers it has this to say:
TLS-LTS restricts the more or less unlimited TLS 1.2 with its more
than three hundred cipher suites, over forty ECC parameter sets, and
zoo of supplementary algorithms, parameters, and parameter formats,
to just two, one traditional one with DHE + AES-CBC + HMAC-SHA-256 +
RSA-SHA-256/PSK and one ECC one with ECDHE-P256 + AES-GCM + HMAC-
SHA-256 + ECDSA-P256-SHA-256/PSK with uncompressed points:o TLS-LTS implementations MUST support
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and
TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256. For these suites, SHA-256
is used in all locations in the protocol where a hash function is
required, specifically in the PRF and per-packet MAC calculations
(as indicated by the _SHA256 in the suite) and also in the client
and server signatures in the CertificateVerify and
ServerKeyExchange messages.[Note: TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 is based on
draft-ietf-tls-ecdhe-psk-aead, currently still
progressing as an IETF draft, the reference will be
updated to the full RFC once it's published].
Command prompt to check TLS version required by a host
You can check using following commands.
For TLS 1.2:
openssl s_client -connect www.google.com:443 -tls1_2
For TLS 1.1:
openssl s_client -connect www.google.com:443 -tls1_1
For TLS 1:
openssl s_client -connect www.google.com:443 -tls1
If you get the certificate chain and the handshake then the TLS version is supported. If you don't see the certificate chain, and something similar to "handshake error" then its not.
openssl not support all ssl version and Net::SIP::SocketPool not support all ssl version
It is likely that the default security level on your system is set to 2 so that older TLS versions are disabled by default. But one can disable this:
my $ua = Net::SIP::Simple->new(
....
tls => {
SSL_fingerprint => ...,
SSL_cipher_list => 'DEFAULT:@SECLEVEL=1', # allow more ciphers
SSL_version => 'TLSv1', # enforce TLSv1
}
);
Related Topics
How Much Memory Is Consumed by the Linux Kernel Per Tcp/Ip Network Connection
Tcp_Tw_Reuse VS Tcp_Tw_Recycle:Which to Use (Or Both)
How to Create Threads Without System Calls in Linux X86 Gas Assembly
One Core Exclusively for My Process
Export Not Working in My Shell Script
Remove Line of Text from Multiple Files in Linux
Fuzzy File Search in Linux Console
Print Date for the Monday of the Current Week (In Bash)
How to Udp Broadcast with C in Linux
Shell: Redirect Stdout to /Dev/Null and Stderr to Stdout
Loading Elf File in C in User Space
Managing a User Password for Linux in Puppet
Sudo: Docker-Compose: Command Not Found
How to Set a Static Ip Address in a Docker Container