OpenSSL 3.1.0 does not support DTLS-1.0 by default #21356
-
OS: Windows 10 Openssl.exe, libssl-3-x64.dll and libcrypto-3-x64 are compiled from source with the following compile options: I am using the libss-3 and libcrypto-3 binaries but the issue can be demonstrated with openssl.exe To reproduce: Client reports:
Server Reports
It seems the TLS1_1 cipher suites (which I believe DTLSv1 is based on) are not being compiled in. TLS1.0 and TLS1.1 also do not work. Setting Max and Min Protocol Version to DTLS1_VERSION does not emit any errors. (SSL_CTX_set_max_proto_version and SSL_CTX_set_min_proto_version) openssl.exe ciphers -s -tls1_1 shows an empty list. TLSv1 and TLSv1_1 methods (e.g. TLSv1_client_method) are available in the binary so it seems that the compile option no-tls1 is not being invoked. Compile options enable-{tls1|tls1_1} have no effect. Is there something I'm missing? |
Beta Was this translation helpful? Give feedback.
Replies: 9 comments
-
You need to use To override the default security level at OpenSSL build time you can use You can also use |
Beta Was this translation helpful? Give feedback.
-
OK. That's a little confusing. Is this a change of approach? It also means that even though the cipher suites are not included at compile by default any more, the TLSv1 methods are still available in the libraries. Are they NOP's? I wasn't sure where "-ciphers DEFAULT:@SECLEVEL=0" was supposed to be used (configure? make? openssl.exe? SSL_CTX_set_cipher_list?) but I configured for compile using: ./Configure -DOPENSSL_TLS_SECURITY_LEVEL=0 no-zlib no-module enable-legacy enable-fips That seems to have done the trick and can now use DTLSv1 (and TLS1.0/1.1). |
Beta Was this translation helpful? Give feedback.
-
It's a runtime parameter to s_server/s_client. DTLSv1 and all its ciphersuites are compiled in by default. However the default security level will prevent certain algorithms from being used. Notably SHA1 is no longer considered sufficient secure for default use. Since DTLSv1 uses SHA1 it isn't available at the default security level. Simply changing the security level makes everything work again.
Security levels have been there for a long time. What has changed is that SHA1 dropped out of the default security level due to it no longer being considered sufficiently secure.
Everything you need for DTLSv1 is compiled in by default. You just need to change the runtime security level setting to make them usable. |
Beta Was this translation helpful? Give feedback.
-
s_client and s_server report:
Are you sure you are not referring to 1.1.1 rather than 3.1.0? IT's fine in 1.1.1. In 3.1.0 we are supposed to use max and min protocol versions instead of those strings. From the cipher dump (see first post), the tls1 ciphers don't seem to be available at all by default. |
Beta Was this translation helpful? Give feedback.
-
Typo in @t8m's original response. The option is actually called "-cipher". |
Beta Was this translation helpful? Give feedback.
-
Yep, I always confuse the |
Beta Was this translation helpful? Give feedback.
-
Aha. OK. That seems to work. Having to use the SSL_CTX_set_cipher_list is a bit of a pain for me as users can define it.
I guess I misunderstood. But I should have read the documentation more closely...
I was confused as there were no errors emitted to tell me I had a setting wrong and it just didn't seem to work (would connect then fail). Without your tribal knowledge I wouldn't have realised it was to do with the security level. Thanks to everyone for your patience and very quick responses. |
Beta Was this translation helpful? Give feedback.
-
So they've broken backward compatibility yet again, this causes a lot of people a lot of pain. And makes people reluctant to update to the latest version. Anyway for anyone wondering the functions to add to fix it are: void SSL_CTX_set_security_level(SSL_CTX *ctx, int level); With level set to zero. |
Beta Was this translation helpful? Give feedback.
-
Without dropping support for obsolete TLS versions and insecure ciphers (at least in the default configuration) we would be making internet unsafe. Also effectively the 3.1.0 does not change things from 3.0.0 where SHA1 is already disabled in SECLEVEL > 0 and that hash is required for DTLS-1.0. |
Beta Was this translation helpful? Give feedback.
You need to use
-cipher DEFAULT:@SECLEVEL=0
option withs_client
ors_server
otherwise only TLS1.2 and above and DTLS1.2 is enabled.To override the default security level at OpenSSL build time you can use
-DOPENSSL_TLS_SECURITY_LEVEL=0
on theConfigure
command line.You can also use
SSL_CTX_set_security_level(SSL_CTX *ctx, int level)
orSSL_set_security_level(SSL *s, int level)
calls from the application to override the default security level.