SSL_CTX_set_ssl_version changes security level

Benjamin Kaduk bkaduk at akamai.com
Mon May 11 20:37:51 UTC 2020


On Tue, May 12, 2020 at 05:22:29AM +0900, NAKANO Takuho wrote:
> 2020年5月12日(火) 0:31 Benjamin Kaduk <bkaduk at akamai.com>:
> 
> > OS-vendor customization
> 
> Thank you. That's very helpful. I get how to configure (but don't know why...).
> 
> On CentOS 8:
> First result of SSL_CTX_get_security_level depends on
> A: /etc/pki/tls/openssl.cnf .
> 
> To be more precise, set "CipherString = @SECLEVEL=5:..."
> or "CipherString = @SECLEVEL=0:..." in
> B: /etc/crypto-policies/back-ends/opensslcnf.config
> that is included by A.
> 
> *BUT* second result of SSL_CTX_get_security_level depends on
> C: /etc/crypto-policies/back-ends/openssl.config
> (I assume SSL_CTX_set_ssl_version internally refer this file).
> File C has a single line beginning with:
> @SECLEVEL=2:kEECDH:..
> If I change this level, the second result changes.
> Maybe it's on RHEL8 patch (system-cipherlist.patch).

https://src.fedoraproject.org/rpms/openssl/blob/master/f/openssl-1.1.1-system-cipherlist.patch
suggests (the ssl.h chunk) that this patch does force the use of the "system
profile" as the default cipher list.

-Ben


More information about the openssl-users mailing list