How to block SSL protocols in favor of TLS?

Question

How can I block SSL protocols in PyOpenSSL in favour of TLS? I\'m using CentOS 7 and have these versions:

pyOpenSSL-0.         


        

Answer 1

There are two ways to do it I am aware. One is a configuratio options, and the other is a runtime option.

Configuration Option

The configuration option is used when building OpenSSL. Its great for all applications because it applies your administrative policy and addresses applications which are not mindful to SSL/TLS related issues.

For this option, simply configure OpenSSL with no-ssl2 no-ssl3. no-comp is also often used because compression can leak information.

./Configure no-ssl2 no-ssl3 

Other OpenSSL options are available, and you might want to visit Compilation and Installation on OpenSSL's wiki.

Runtime Option

In C, you have to (1) use the 2/3 method to get SSL 2/3 and above; and then (2) call SSL_CTX_set_options (or SSL_set_options) and (3) remove the SSL protocols. That leaves the TLS protocols:

SSL_CTX* ctx = SSL_CTX_new(SSLv23_method());
const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
SSL_CTX_set_options(ctx, flags);

In Python, you do it with OpenSSL.SSL.Context.set_options.