SSL_CTX_set_ssl_version changes security level
Tomas Mraz
tmraz at redhat.com
Tue May 12 07:01:51 UTC 2020
On Mon, 2020-05-11 at 13:37 -0700, Benjamin Kaduk via openssl-users
wrote:
> On Tue, May 12, 2020 at 05:22:29AM +0900, NAKANO Takuho wrote:
> > 2020年5月12日(火) 0:31 Benjamin Kaduk <bkaduk at akamai.com>:
> >
> > > OS-vendor customization
> >
> > Thank you. That's very helpful. I get how to configure (but don't
> > know why...).
> >
> > On CentOS 8:
> > First result of SSL_CTX_get_security_level depends on
> > A: /etc/pki/tls/openssl.cnf .
> >
> > To be more precise, set "CipherString = @SECLEVEL=5:..."
> > or "CipherString = @SECLEVEL=0:..." in
> > B: /etc/crypto-policies/back-ends/opensslcnf.config
> > that is included by A.
> >
> > *BUT* second result of SSL_CTX_get_security_level depends on
> > C: /etc/crypto-policies/back-ends/openssl.config
> > (I assume SSL_CTX_set_ssl_version internally refer this file).
> > File C has a single line beginning with:
> > @SECLEVEL=2:kEECDH:..
> > If I change this level, the second result changes.
> > Maybe it's on RHEL8 patch (system-cipherlist.patch).
>
> https://src.fedoraproject.org/rpms/openssl/blob/master/f/openssl-1.1.1-system-cipherlist.patch
> suggests (the ssl.h chunk) that this patch does force the use of the
> "system
> profile" as the default cipher list.
Yes, on Fedora/RHEL 8 you need to replace the cipher strings in both
/etc/crypto-policies/back-ends/openssl.config and /etc/crypto-
policies/back-ends/opensslcnf.config config files or you have to
override the cipher string with a non-default one from the application.
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]
More information about the openssl-users
mailing list