1

I am developing an application that communicates with a server through a secure communication. So the user of the application should choose a client certificate file (x509 certificate) i want to add the possibility for the user to specify the TLS version. I didn't find any attribute in the instance of x509Certificate cert = new X509Certificate(FileName) that identifies the TLS version. How to proceed ?

K.chaa
  • 65
  • 11
  • 1
    Why do you expect TLS version to be tied to a *certificate*? PKI exists outside of just the realm of TLS. – Damien_The_Unbeliever Nov 06 '17 at 10:34
  • 2
    That's sort of like saying you want to specify the color of car you drive on a driver's license. They're "related", but not really. – bartonjs Nov 06 '17 at 14:36
  • @Damien_The_Unbeliever I am using x509 certificate while connecting IOT device to cloud. and now we want to upgrade tls version to 1.2 because of vulnerabilities in 1.0. so I am also wondering where to change this? How do I specify it in x509 certificate? IoT OS has all 1.0,1.1 and 1.2 TLS version enabled. which one it will pick? – kudlatiger Sep 02 '22 at 08:51
  • 1
    @kudlatiger did you reach a solution? If yes, I'd like to hear it. If not, as per my understanding, TLS Server specifies the available TLS versions at time of TLS handshake aside from the shared certificates. – Himanshu Tanwar Jan 31 '23 at 17:11
  • Not yet. I have deviated from this research. I shall keep you posted @HimanshuTanwar – kudlatiger Feb 04 '23 at 04:56

1 Answers1

0

Version of TLS and version of X509 certificate are totally different two things. If you're referring TLS version, it can be specified with various versions of client/server methods of openssl library (can be set to SSL_CTX or SSL):

const SSL_METHOD *SSLv23_method(void);
const SSL_METHOD *TLSv1_2_method(void);
const SSL_METHOD *TLSv1_1_method(void);
const SSL_METHOD *TLSv1_method(void);
const SSL_METHOD *SSLv3_method(void);
const SSL_METHOD *SSLv2_method(void);

But if you really mean version of X509 this can be defined using openssl library functions. X509 struct holds a certificate info struct which is defined as (1.0.2l) below:

typedef struct x509_cinf_st {
    ASN1_INTEGER *version;      /* [ 0 ] default of v1 */
    ASN1_INTEGER *serialNumber;
    X509_ALGOR *signature;
    X509_NAME *issuer;
    X509_VAL *validity;
    X509_NAME *subject;
    X509_PUBKEY *key;
    ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */
    ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */
    STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */
    ASN1_ENCODING enc;
} X509_CINF;

And you will most probably using functions below to handle version:

X509_CINF_new(void); 
X509_CINF * d2i_X509_CINF(X509_CINF **val_out, const unsigned char **der_in, long length);
int i2d_X509_CINF(X509_CINF *val_in, unsigned char **der_out);

But since v2 and v3 hold optional fields, there is no reason not to have v3.

Hayati Gonultas
  • 151
  • 2
  • 7