如何为x509证书指定TLS版本

Question

I am developing an application that communicates with a server through a secure communication. So the user of the application should choose a client certificate file (x509 certificate) i want to add the possibility for the user to specify the TLS version. I didn't find any attribute in the instance of x509Certificate cert = new X509Certificate(FileName) that identifies the TLS version. How to proceed ?

Answer 1

Version of TLS and version of X509 certificate are totally different two things. If you're referring TLS version, it can be specified with various versions of client/server methods of openssl library (can be set to SSL_CTX or SSL):

const SSL_METHOD *SSLv23_method(void);
const SSL_METHOD *TLSv1_2_method(void);
const SSL_METHOD *TLSv1_1_method(void);
const SSL_METHOD *TLSv1_method(void);
const SSL_METHOD *SSLv3_method(void);
const SSL_METHOD *SSLv2_method(void);

But if you really mean version of X509 this can be defined using openssl library functions. X509 struct holds a certificate info struct which is defined as (1.0.2l) below:

typedef struct x509_cinf_st {
    ASN1_INTEGER *version;      /* [ 0 ] default of v1 */
    ASN1_INTEGER *serialNumber;
    X509_ALGOR *signature;
    X509_NAME *issuer;
    X509_VAL *validity;
    X509_NAME *subject;
    X509_PUBKEY *key;
    ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */
    ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */
    STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */
    ASN1_ENCODING enc;
} X509_CINF;

And you will most probably using functions below to handle version:

X509_CINF_new(void); 
X509_CINF * d2i_X509_CINF(X509_CINF **val_out, const unsigned char **der_in, long length);
int i2d_X509_CINF(X509_CINF *val_in, unsigned char **der_out); 

But since v2 and v3 hold optional fields, there is no reason not to have v3.