SSL_CTX_set_ssl_version changes security level

Benjamin Kaduk bkaduk at akamai.com
Mon May 11 15:31:29 UTC 2020


On Mon, May 11, 2020 at 05:01:27PM +0900, NAKANO Takuho wrote:
> Hello,
> 
> I've found SSL_CTX_set_ssl_version changes security level:
> 
> =====
> int main(void){
>   int i;
>   struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method());
> 
>   printf("seclevel: %d\n", SSL_CTX_get_security_level(ctx));
>   // 0--5 any
> 
>   i = SSL_CTX_set_ssl_version(ctx, SSLv23_client_method());
>   printf("SSL_CTX_set_ssl_version result: %d\n", i);
>   // i ==1; success
> 
>   printf("seclevel: %d\n", SSL_CTX_get_security_level(ctx));
>   // result 2
> 
>   return 0;
> }
> =====
> 
> OS: CentOS 8
> OpenSSL 1.1.1c FIPS  28 May 2019
> 
> Are there any reasons?
> I know SSLv23_method is deprecated. That does not matter.

Note that SSL_CTX_set_ssl_version() has to re-set the cipher list
to filter out ciphers unsupported by the new version.  It uses
the default cipher list as its starting point, which I assume on
EL8 includes the security level in the cipher string.
You can set the cipher list (and security level) back to what you
want afterward, but I note that this behavior is a result of the
OS-vendor customization and not inherent to openssl.

-Ben


More information about the openssl-users mailing list