How to globally disable protocols < TLS 1.2 at openssl library level
I've been asked to disable the use of all SSL, and TLS < TLS 1.2, globally on one of my Centos boxes. Its been suggested that I should be able to do this in the openssl library.
I'm reasonably familiar with SSL/TLS, ciphersuites, etc, but I can't see how to do this in openssl.cnf. The documentation I find is clear on how to do this for Apache, or how to limit available protocol version within an application, but that's not what I'm after. I'm not running a web server.
Short of modifying the source to filter ciphersuites and protocols, then rebuilding, is there a way to do this?
MinProtocol
in the config file is relatively new to OpenSSL, I think 1.1.1.
However, TLS is messier than that, this isn't an easy answer. OpenSSL MinProtocol
only is available to relatively new distro versions like EL8. The application may use the API in a way that does not use openssl.cnf, possibly using its own configuration. Or use a different TLS like gnutls or NSS.
It still is a good idea to read the documentation, maybe the source code, of the software you use for any TLS related configuration. Web servers historically exposed more of the protocol configuration. But they are not the only software where TLS is more fine grained than on and off.
Then test if lesser TLS can be negotiated, during a packet capture. Tools exist to help with this.