Topic: Configure Min and Max TLS versions

Hi,

I would like to configure a server to support TLSv1.1 as the min version and TLSv1.3 as the max version.

In this way, if a client supports one of the following versions, it can establish a secure connection with the server:
- TLSv1.1
- TLSv1.2
- TLSv1.3

However, I don't find within the WolfSSL API a function which allows this. I find the function wolfSSLv23_server_method() which allows using the highest TLS version up to TLSv1.2. Therefore TLSv1.3 will not be used if a client supports it.

My question is, is there a method to configure an endpoint (server or client) to use the highest TLS version from the following versions:
- TLSv1.1
- TLSv1.2
- TLSv1.3

The same question for DTLS, how to configure an endpoint to use the highest DTLS version from the following versions:
- DTLSv1.1
- DTLSv1.2

Share

2 (edited by Kaleb J. Himes 2019-04-09 07:55:57)

Re: Configure Min and Max TLS versions

Hi okba.zoueghi,

Which version of wolfSSL do you have? We do absolutely support TLS 1.3 with the v23 client/server methods so perhaps we just need to update our documentation? Can you point out where the document is that says it only supports TLS1.2 or below and I will gladly update that. If you have an older version of wolfSSL then it's possible the comment is accurate. However if you grab wolfssl-4.0.0.zip from our download page here: https://www.wolfssl.com/download/

You will find that the v23 methods do support all configured versions. To configure with tls 1.3 use either --enable-all or --enable-tls13 in your configure settings.

./configure --enable-all && make && <sudo> make install

P.S. Can you tell us a bit about what it is you are working on and end goals for your project? Also if you experience slow turn around times here on the forums you can always contact us at support@wolfssl.com or via the zendesk portal directly at https://wolfssl.zendesk.com


Warm Regards,

K

Re: Configure Min and Max TLS versions

Hi Kaleb,

Thanks for your reply.

You can find the documentation of the function wolfSSLv23_server_method() in the link below, it says that the endpoint using it selects the highest TLS version up to TLSv1.2.
https://www.wolfssl.com/doxygen/group__ … b367b1f4c0

Is there a similar function for DTLS? I would like to configure an endpoint to select the highest DTLS version from DTLSv1.1 and DTLSv1.2.

Best regards,
Okba

Share

Re: Configure Min and Max TLS versions

Thank you so much, I reached out to our document maintainer and found that the documentation has not yet been updated with the TLS1.3 API's though we do expect that to happen in the near future. Since there are not yet sections for wolfTLSv1_3_server method (and client method) we do not expect to have the v23 methods updated yet either. I have summarized your report to the document maintainer and he has noted that when the TLS1.3 update happens we also need to indicate that the v23 client and server methods support SSL 3.0 - TLS 1.3 as well.

If there is anything else we can assist with at this time let us know but be assured you can use the downgrade API's (v23 methods) and still have TLS 1.3 support with them even though the documentation is not yet updated to reflect this.

Warmest Regards,

K

Re: Configure Min and Max TLS versions

Hi,

Thank you for the clarification.

You still haven't answered my question about DTLS, is there a function that allows to use downgrade for DTLS?

I would like to configure an endpoint to use the highest DTLS version from DTLSv1.1 and DTLSv1.2.

Thanks in advance.
Best regards,
Okba

Share

Re: Configure Min and Max TLS versions

Hi Okba,

My apologies for missing the DTLS question. No there is no robust downgrade option with DTLS, the protocol doesn't quite work that way. UDP attempts to simulate a handshake in the same way that TLS does but it is not the same thing. That being said I did a bit of digging in the code and I determined it would theoretically be possible to get a downgrade option implemented. I then reached out to our DTLS expert who also confirmed that while not currently supported it would be possible to get it working if you have a high need for it.

wolfSSL does offer traditional consulting services which allow us to implement customized features, if you would like to pursue a DTLS downgrade option let me know and I can get you in touch with the right resources on the wolfSSL side to get the ball rolling on an effort.

Warm Regards,

K

7 (edited by carlo 2020-06-20 08:22:08)

Re: Configure Min and Max TLS versions

More than a year later...

Still no mention of TLS v1.3 on https://www.wolfssl.com/docs/wolfssl-manual/ch11/

Who is this document maintainer that you asked to update this?

Share

Re: Configure Min and Max TLS versions

I have the exact same question as okba.zoueghi : how can I hand pick the protocol versions that I want to negotiate?
It seems that you either support a single protocol/version (ie, ONLY TLS 1.1 and nothing else) OR one has to use wolfSSLv23_client_method() and run the risk that something is negotiated that you don't want (e.g. SSL 3.0, or TLS 1.0).

It seems that the user is not able to select exactly which protocols (and signature algorithms and ciphersuites for that matter) they are willing to accept during negotiation.

Share

9 (edited by carlo 2020-06-20 09:53:42)

Re: Configure Min and Max TLS versions

I did some investigation and found the following:

The struct ProtocolVersion can contain a single protocol version (by major and minor version number).
The struct WOLFSSL_METHOD reflects the negotiation method and contains the following fields,

/* wolfSSL method type */
struct WOLFSSL_METHOD {
    ProtocolVersion version;                                                    
    byte            side;         /* connection side, server or client */
    byte            downgrade;    /* whether to downgrade version, default no */
};

The (much larger) struct Options contains a field `downgrade` (one bit) and a byte field `minDowngrade` which is
the minimum minor version of the protocol that will be negotiated (or so it seems from the source code).

The function `void InitSSL_Method(WOLFSSL_METHOD* method, ProtocolVersion pv)` initializes
the `WOLFSSL_METHOD` passed with the `ProtocolVersion` passed and sets `side` to `WOLFSSL_CLIENT_END`
and `downgrade` to 0.

The following functions set the byte field of struct WOLFSSL_METHOD called `downgrade` to 1 and leave
the `side` field at `WOLFSSL_CLIENT_END` (as opposed to setting it to `WOLFSSL_SERVER_END`):

wolfSSLv23_client_method()
wolfTLS_client_method()
wolfDTLS_client_method()

Note that (apart from horrible code duplication) `wolfTLS_client_method()` initializes the `ProtocolVersion` field with TLS 1.0, 1.1, 1.2 or 1.3, whichever version is the highest that is compiled into the library. While `wolfSSLv23_client_method()` initializes the `ProtocolVersion` field with TLS 1.1, 1.2 or 1.3, whichever version is the highest compiled in - and if none is compiled in it simply leaves the structure uninitialized for a nice crash or other undefined behavior.

Assuming nobody in their right mind will compile wolfssl without support for TLS 1.3 for now, both functions do the exact same thing; but it seems to me that `wolfSSLv23_client_method`is broken in multiple ways.

The struct WOLFSSL_CTX also has a `minDowngrade` field. This field is copied to WOLFSSL->options.minDowngrade in `SetSSL_CTX`. It is also set in `dtls_export_load` which I will ignore. Finally options.minDowngrade seems to be changed by `SetMinVersionHelper` when called from `wolfSSL_SetMinVersion` (https://www.wolfssl.com/doxygen/group__ … 92e0c5c4f5) [Note the outdated / incorrect documentation there: there is no mention of wolfTLS_client_method() or wolfDTLS_client_method()].

Likewise it is possible to change the `minDowngrade` field in the WOLFSSL_CTX struct with `wolfSSL_CTX_SetMinVersion`.

In summary, my conclusion is that the answer to okba.zoueghi's question is that one has to use `ctx = wolfSSL_CTX_new(wolfTLS_client_method())` and then either call `wolfSSL_CTX_SetMinVersion(ctx, WOLFSSL_TLSV1_1)` prior to creating a WOLFSSL with `ssl = wolfSSL_new(ctx)`, or call wolfSSL_SetMinVersion(ssl, WOLFSSL_TLSV1_1) afterwards.

Here is a snippet of my test code:

      /* declare wolfSSL objects */
      WOLFSSL_CTX* ctx;

      /* Create and initialize WOLFSSL_CTX */
      if ((ctx = wolfSSL_CTX_new(wolfTLS_client_method())) == NULL) {
          fprintf(stderr, "ERROR: failed to create WOLFSSL_CTX\n");
          goto init_cleanup;
      }

      // Demand at least TLS version 1.2.
      wolfSSL_CTX_SetMinVersion(ctx, WOLFSSL_TLSV1_2);

Which should try to negotiate TLS 1.3 and if that fails try TLS 1.2 and if that fails give up.

Share

Re: Configure Min and Max TLS versions

@carlo,

Thank you so much for your followup. The maintainer I mentioned above has since departed wolfSSL Inc and it looks like the action item was never completed. I just opened a PR for it here: https://github.com/wolfSSL/wolfssl/pull/3066

To avoid unwanted protocol versions it's as easy as turning them off. If you don't want to risk negotiating older protocols please use --disable-oldtls to turn off TLSv1.1, TLSv1.0 and SSL3.0.

./configure --disable-oldtls --disable-tlsv12 # Supports TLSv1.3
./configure --disable-oldtls                  # Supports TLSv1.3 and TLSv1.2
./configure --disable-sslv3 --disable-tlsv10  # Supports TLSv1.3, TLSv1.2 and TLSv1.1
./configure --disable-sslv3                   # Supports TLSv1.3, TLSv1.2, TLSv1.1 and TLSv1.0
./configure --enable-oldtls                   # Supports TLSv1.3, TLSv1.2, TLSv1.1, TLSv1.0, and SSLv3.0

NOTE: This is for v4.4.1 and newer of wolfSSL. For version 4.4.0 and older tls1.3 was not enabled by default and you would need to add --enable-tls13 to the configure options to enable TLSv1.3 support.

... etc.

Use combinations of options to specify what is supported and the wolfSSLv23_server_method() or wolfSSLv23_client_method() will negotiate what it can based on what is enabled!

Cheers,

KH