TLSv1.0 on OpenSSL 3.0-API (looking for answers)
Heikki Vatiainen
hvn at open.com.au
Mon Apr 22 08:22:18 UTC 2024
On 22.4.2024 11.01, Yuko Doki (Fujitsu) via openssl-users wrote:
> I have not configured any providers, so the default provider will be used.
>
> When using RedHat Linux distribution, "@SECLEVEL=0" did not seem to work.
> The versions are as follows.
> OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
> Will changing the provider in the file "openssl.cnf" have any effect?
>
> I also tried with OpenSSL built from the source downloaded from "https://www.openssl.org/source/", on Solaris.
> This time, adding "@SECLEVEL=0" was effect, the TLS1.0 connection was successful.
> The versions are as follows.
> OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
>
> This problem seems to occur only in the RedHat distribution, so it might be better to ask RedHat.
See RedHat documentation about their system-wide crypto policies:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
There's, for example, a table that tells that TLSv1.1 and earlier are
not enabled by default. With RHEL 8 they could be enabled, but with 9 it
seems the can not. Even with command 'update-crypto-policies' it appears
not possible to enable TLSv1.0.
Please let us know how it goes,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
More information about the openssl-users
mailing list