We are having a Linux C program making use of OpenSSL APIs, acting as a TLS server. It currently has code as:
context = SSL_CTX_new(TLS_method());
Which the OpenSSL v1.1.1 manual page says will support SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3. While we now have a new requirement to only support TLS 1.3. Will setting SSL_CTX_set_min_proto_version(TLS1_3_VERSION) just do the trick? Or is there other practical way for the server to reject client connections with version lower than TLS 1.3?
Calling SSL_CTX_set_min_proto_version(context, TLS1_3_VERSION); is all that is needed. This restricts sessions created from this context to not use versions of TLS below 1.3.
Also, you can use TLS_server_method to create a context object that will create sessions that default to server mode.
Another solution similar to the one already posted is to use SSL_CTX_set_options
Which allows you to pass all protocols you want to ignore such as
SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2
