[openssl-commits] [web] master update

[Rich Salz]

The branch master has been updated
       via  ea3e33718a7158c159b9cc385015ed975e40bb8f (commit)
      from  e2ddd31429c929b348a986ca8aca415b5b889aa5 (commit)


- Log -----------------------------------------------------------------
commit ea3e33718a7158c159b9cc385015ed975e40bb8f
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Wed Sep 6 15:49:10 2017 -0500

    Attempt to add a FAQ about TLS security levels
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/web/pull/23)

-----------------------------------------------------------------------

Summary of changes:
 docs/faq-3-prog.txt | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/docs/faq-3-prog.txt b/docs/faq-3-prog.txt
index 45a33ad..8665b0a 100644
--- a/docs/faq-3-prog.txt
+++ b/docs/faq-3-prog.txt
@@ -142,6 +142,19 @@ Rules (DER): these uniquely specify how a given structure is encoded.
 Therefore, because DER is a special case of BER, DER is an acceptable encoding
 for BER.
 
+* I tried to set a cipher list with a valid cipher, but the call fails, why?
+
+OpenSSL 1.1.0 introduced the concept of a “security level”, allowing
+for a configuration to be made more secure by excluding algorithms
+and key sizes that are known to be flawed or susceptible to brute force at
+a given level of work.  SSL_CTX_set_security_level(3) can be used to
+programmatically set a security level, or the keyword "@SECLEVEL=N" can
+be used in a TLS cipher string, for values of N from 0 to 5 (inclusive).
+The default is level 1, which excludes MD5 as the MAC and algorithms
+with less than 80 bits of security.  A value of 0 can be used, with appropriate
+caution, to produce behavior compatible with previous versions of OpenSSL
+(to the extent possible), but this is not recommended for general usage.
+
 * I've called <some function> and it fails, why?
 
 Before submitting a report or asking in one of the mailing lists, you