Join Log in
Score:0
gboltonrp avatar Server

Disable TLSv1.0 and TLSv1.1 when generating certificates using openssl 1.1.1

be flag
gboltonrp

I am struggling to implement a feature for my certificates. I am generating my certificates with OPENSSL 1.1.1. I want to allow only TLSv1.2 and TLSv1.3. The other protocols should not be possible (TLSv1.0 / TLS1.1 / ...). The goal is to generate certificates for multiple websites and authorize only TLSv1.2 and TLSv1.3 with specific Ciphers. I don’t want to modify my webservers configuration (I know it is easily possible to restrict the protocols on Apache or NGINX but I want to go deeper in the openssl experience).

I have the following command line :

openssl req -new -nodes -x509 -config certrequest.cnf -keyout myserver.key -out myserver.pem

My “certrequest.cnf” file looks like this :

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=State
L=City
O=TEST
OU=HELLO WORLD
[email protected]
CN = mydomain.example.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = mydomain.example.com
IP.1 = 127.0.0.1

What have tried so far where it is closer to the openssl documentation :

[system_default_sect]
Protocol = -SSLv3, -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3
MinProtocol = TLSv1.2

I have tried so many solution and I still can’t restrict the protocols. Regarding the documentation of openssl, it seems like possible, but I am failing to implement it correctly.

I am testing my protocols/cipher with the following command :

nmap --script ssl-enum-ciphers -p 443 mydomain.example.com

On the output of the NMAP, I have all protocols and ciphers with the indication “cipher preference: client”. Maybe forcing the server could be a good way.

Could you please help me to find the solution ?

Have a great day !

64
1 + 2
ssl
anx avatar
fr flag
anx
Chances are you are running an old release of an operating system that has in newer releases already disabled these by default. You may not need to configure anything, if only you do what you should do anyway: make sure you are running versions still well supported.
0
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
BTW your certrequest.cnf would put SAN in the CSR _IF_ you generated a CSR with `openssl req -new # no -x509` but since you are generating a (selfsigned) _cert_ with `openssl req -new -x509 ...` it does not; for that case you need to have `x509_extensions = sectionname` instead of or in addition to `req_extensions =`.
0
Reply
Score:2
Steffen Ullrich avatar Server
se flag
Steffen Ullrich

It is not possible to restrict a certificate, so that it can only be used with certain protocol versions or ciphers (apart from RSA certificates needing ciphers supporting RSA authentication and ECC certificates needing ciphers supporting ECDSA authentication).

For more details see Can a SSL Certificate dictate protocol? and Can we restrict cipher suites using server certificate? at security.stackexchange.com.

+ 2
gboltonrp avatar
be flag
gboltonrp
Great thanks ! I was afraid of that case. I will then restrict the protocols and ciphers in my webservers then.
1
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
In general you can't tie protocol to certificate, but I think the specific case in this Q can: if you create a cert with the RSA-PSS OID (not just an RSA key _usable_ for PSS) it can't be used in 1.0 or 1.1 because they can't do PSS; it can be used in 1.2 depending on the implementation(s) and in 1.3 always.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.