TLSv1.0 on OpenSSL 3.0-API

Yuko Doki (Fujitsu) doki.yuko at fujitsu.com
Tue Apr 23 06:43:01 UTC 2024


Thank you for the information, Heikki.

I understood from the RedHat documentation you pointed out that no matter
 what crypto policy I specify, I cannot use TLSv1.1 or earlier on RHEL9.

On the other hand, I have confirmed that connections using TLSv1.1 or earlier
 are possible even on RHEL9 by using the package "compat-openssl11".
I suspect that this is not covered by the crypto policy.

I would like to report this with gratitude.

Kind regards,
Yuko Doki

-----Original Message-----
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Heikki Vatiainen
Sent: Monday, April 22, 2024 5:22 PM
To: openssl-users at openssl.org
Subject: Re: TLSv1.0 on OpenSSL 3.0-API (looking for answers)

On 22.4.2024 11.01, Yuko Doki (Fujitsu) via openssl-users wrote:

> I have not configured any providers, so the default provider will be used.
> 
> When using RedHat Linux distribution, "@SECLEVEL=0" did not seem to work.
> The versions are as follows.
>    OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
> Will changing the provider in the file "openssl.cnf" have any effect?
> 
> I also tried with OpenSSL built from the source downloaded from "https://www.openssl.org/source/", on Solaris.
> This time, adding "@SECLEVEL=0" was effect, the TLS1.0 connection was successful.
> The versions are as follows.
>    OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
> 
> This problem seems to occur only in the RedHat distribution, so it might be better to ask RedHat.


See RedHat documentation about their system-wide crypto policies:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

There's, for example, a table that tells that TLSv1.1 and earlier are 
not enabled by default. With RHEL 8 they could be enabled, but with 9 it 
seems the can not. Even with command 'update-crypto-policies' it appears 
not possible to enable TLSv1.0.

Please let us know how it goes,
Heikki

-- 
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software


More information about the openssl-users mailing list