Search code examples
pythonopenssltls1.2configuration-files

How to configure 'TLS1.2 only' in OpenSSL 1.0.2 config file?

I would like to update the configuration of OpenSSL 1.0.2 (specifically 1.0.2k-fips as found on AWS's Amazon Linux 2 AMIs), so that any client using OpenSSL refuses TLSv1.1, TLSv1, or anything lower that is not TLSv1.2.

I have learned that for OpenSSL 1.1+ the OpenSSL config file (e.g., /etc/pki/tls/openssl.cnf on Amazon Linux 2, or /usr/lib/ssl/openssl.cnf on Debian derivatives, or whatever $OPENSSL_CONF points to), one can specify openssl_conf -> a section with ssl_conf -> a section with system_default -> a section with MinProtocol=TLSv1.2.

However, that ssl_conf syntax is unknown in OpenSSL 1.0.2k, and instead it tries to load libssl_conf.so which fails because that shared library does not exist.

So my question: Is it possible to configure OpenSSL 1.0.2 to fail if one tries to use TLSv1.1 or below? At least if the openssl binary tries, or any Python code that I don't control using the ssl module for Python 3.9 or lower?

Additional information: At least on Amazon Linux 2 with OpenSSL 1.0.2k-fips, using grep I cannot even find the string MinProtocol in any OpenSSL 1.0.2 related binary or shared library. (But it does occur in an OpenSSL 1.1.1s libssl.so.1.1 that is shipped with an agent I happened to have on that same AL2 system.)

So that confirms my suspicion that the answer to my question is: No, this is not possible.

Solution

  • For the record, as a self-answer (to replace an answer that was deleted for looking ChatGPT-generated): OpenSSL 1.0.2 does not support configuring allowed SSL/TLS protocol versions or cipher suites through its configuration file.

    Evidence:

    • OpenSSL 1.0.2 binaries (at least OpenSSL 1.0.2k-fips as shipped with Amazon Linux 2 AMIs from AWS) don't contain the string MinProtocol.
    • The ssl_conf configuration seems to have been added OpenSSL 1.1.0, per e.g. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918727. And the system_default configuration inside of ssl_conf is automatically applied since OpenSSL 1.1.1, per commit 8a5ed9dc "Apply system_default configuration on SSL_CTX_new()." It is those features, apparently, that make it possible to put TLS configurations in the OpenSSL config file ($OPENSSL_CONF with a distro-specific default), in addition to calling some OpenSSL API.
    • None of the procedures seen in comments on this question or in other answers, actually work. They either ignore the configuration file change, or fail to load the configuration, for example with could not load the shared library:dso_dlfcn.c:187:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory.

    (As ChatGPT pointed out, there are various ways where a cooperating client can give OpenSSL such settings, e.g., via its API, via the openssl command line, or via Python's ssl default SSL context; but that was not the point of this question.)