Topic: Configure Min and Max TLS versions

Hi,

I would like to configure a server to support TLSv1.1 as the min version and TLSv1.3 as the max version.

In this way, if a client supports one of the following versions, it can establish a secure connection with the server:
- TLSv1.1
- TLSv1.2
- TLSv1.3

However, I don't find within the WolfSSL API a function which allows this. I find the function wolfSSLv23_server_method() which allows using the highest TLS version up to TLSv1.2. Therefore TLSv1.3 will not be used if a client supports it.

My question is, is there a method to configure an endpoint (server or client) to use the highest TLS version from the following versions:
- TLSv1.1
- TLSv1.2
- TLSv1.3

The same question for DTLS, how to configure an endpoint to use the highest DTLS version from the following versions:
- DTLSv1.1
- DTLSv1.2

Share

2 (edited by Kaleb J. Himes 2019-04-09 07:55:57)

Re: Configure Min and Max TLS versions

Hi okba.zoueghi,

Which version of wolfSSL do you have? We do absolutely support TLS 1.3 with the v23 client/server methods so perhaps we just need to update our documentation? Can you point out where the document is that says it only supports TLS1.2 or below and I will gladly update that. If you have an older version of wolfSSL then it's possible the comment is accurate. However if you grab wolfssl-4.0.0.zip from our download page here: https://www.wolfssl.com/download/

You will find that the v23 methods do support all configured versions. To configure with tls 1.3 use either --enable-all or --enable-tls13 in your configure settings.

./configure --enable-all && make && <sudo> make install

P.S. Can you tell us a bit about what it is you are working on and end goals for your project? Also if you experience slow turn around times here on the forums you can always contact us at support@wolfssl.com or via the zendesk portal directly at https://wolfssl.zendesk.com


Warm Regards,

K

Re: Configure Min and Max TLS versions

Hi Kaleb,

Thanks for your reply.

You can find the documentation of the function wolfSSLv23_server_method() in the link below, it says that the endpoint using it selects the highest TLS version up to TLSv1.2.
https://www.wolfssl.com/doxygen/group__ … b367b1f4c0

Is there a similar function for DTLS? I would like to configure an endpoint to select the highest DTLS version from DTLSv1.1 and DTLSv1.2.

Best regards,
Okba

Share

Re: Configure Min and Max TLS versions

Thank you so much, I reached out to our document maintainer and found that the documentation has not yet been updated with the TLS1.3 API's though we do expect that to happen in the near future. Since there are not yet sections for wolfTLSv1_3_server method (and client method) we do not expect to have the v23 methods updated yet either. I have summarized your report to the document maintainer and he has noted that when the TLS1.3 update happens we also need to indicate that the v23 client and server methods support SSL 3.0 - TLS 1.3 as well.

If there is anything else we can assist with at this time let us know but be assured you can use the downgrade API's (v23 methods) and still have TLS 1.3 support with them even though the documentation is not yet updated to reflect this.

Warmest Regards,

K

Re: Configure Min and Max TLS versions

Hi,

Thank you for the clarification.

You still haven't answered my question about DTLS, is there a function that allows to use downgrade for DTLS?

I would like to configure an endpoint to use the highest DTLS version from DTLSv1.1 and DTLSv1.2.

Thanks in advance.
Best regards,
Okba

Share

Re: Configure Min and Max TLS versions

Hi Okba,

My apologies for missing the DTLS question. No there is no robust downgrade option with DTLS, the protocol doesn't quite work that way. UDP attempts to simulate a handshake in the same way that TLS does but it is not the same thing. That being said I did a bit of digging in the code and I determined it would theoretically be possible to get a downgrade option implemented. I then reached out to our DTLS expert who also confirmed that while not currently supported it would be possible to get it working if you have a high need for it.

wolfSSL does offer traditional consulting services which allow us to implement customized features, if you would like to pursue a DTLS downgrade option let me know and I can get you in touch with the right resources on the wolfSSL side to get the ball rolling on an effort.

Warm Regards,

K