Supported SSL/TLS Versions in OpenSSL Builds: Command-Line Queries and Version History Analysis

Overview of OpenSSL Versions and SSL/TLS Protocol Support

OpenSSL, as a widely used open-source cryptography library, exhibits significant variations in SSL/TLS protocol support across different build versions. For system administrators and developers, accurately understanding the protocol versions supported by a specific OpenSSL version is crucial, as it directly impacts system security and compatibility. For instance, in versions like OpenSSL 1.0.0o, the range of supported protocols differs from later releases.

Determining Protocol Support via Version History

According to the official OpenSSL changelog, protocol support evolves with version updates. In OpenSSL 1.0.0 series versions (including up to 1.0.0h), SSLv2, SSLv3, and TLSv1.0 are supported by default. These early protocols, while widely deployed, are known to have security vulnerabilities, such as the POODLE attack in SSLv2 and SSLv3.

Starting from OpenSSL 1.0.1, support for TLSv1.1 and TLSv1.2 is added. These protocol versions introduce improved encryption algorithms and security enhancements, such as TLSv1.2 supporting stronger hash functions (e.g., SHA-256). Therefore, if you are using OpenSSL 1.0.0o, it only supports up to TLSv1.0, excluding TLSv1.1 or TLSv1.2.

Supplementary Method: Indirect Protocol Information via Command Line

Although OpenSSL lacks a direct command to list supported protocol versions, one can infer this indirectly by analyzing supported cipher suites. The following command example demonstrates how to extract protocol-related information:

openssl ciphers -v | awk '{print $2}' | sort | uniq

This command first uses openssl ciphers -v to list all available cipher suites with details, then extracts the protocol column (e.g., TLSv1.2, TLSv1.1) via awk '{print $2}', and finally sorts and deduplicates the output. The result might resemble:

TLSv1.0
TLSv1.1
TLSv1.2

Note that this method relies on cipher suite configuration and may not reflect all potentially supported protocols, especially if certain protocols are disabled. Thus, verification against version history is more reliable.

Code Example: Automated Protocol Support Detection

To systematically evaluate an OpenSSL build, one can write scripts combining version checks and cipher suite analysis. Here is a simple Bash script example:

#!/bin/bash
# Get OpenSSL version
openssl_version=$(openssl version | awk '{print $2}')
echo "OpenSSL version: $openssl_version"

# Infer protocol support based on version
if [[ "$openssl_version" =~ ^1\.0\.0 ]]; then
    echo "Supported protocols: SSLv2, SSLv3, TLSv1.0"
elif [[ "$openssl_version" =~ ^1\.0\.1 ]]; then
    echo "Supported protocols: SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2"
else
    echo "Refer to the OpenSSL changelog for accurate information"
fi

# Supplement: List actually available protocols (via cipher suites)
echo "Protocols detected via cipher suites:"
openssl ciphers -v 2>/dev/null | awk '{print $2}' | sort | uniq

This script first extracts the OpenSSL version, then outputs the supported protocol list based on version history, and finally provides supplementary information on actually available protocols via the cipher suite command. This aids in cross-verification and comprehensive assessment.

Security Recommendations and Best Practices

Given the security risks of early SSL/TLS versions, the following measures are recommended:

• Upgrade to OpenSSL 1.0.1 or later to support TLSv1.1 and TLSv1.2.
• Disable insecure protocols like SSLv2 and SSLv3, achievable through OpenSSL configuration or application settings.
• Regularly check the OpenSSL changelog for security updates and protocol support changes.

By combining version history analysis with command-line tools, you can accurately grasp the protocol support of your OpenSSL build, thereby optimizing system security configurations.