[openssl-commits] [web] master update

Rich Salz rsalz at openssl.org
Wed Jan 3 16:28:04 UTC 2018 

The branch master has been updated
       via  6ea307b0734aaeb87d422c47e35d6363a0a7c760 (commit)
      from  921a2b6e320239af22d2be268d84f66262891d1f (commit)


- Log -----------------------------------------------------------------
commit 6ea307b0734aaeb87d422c47e35d6363a0a7c760
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Jan 3 11:27:33 2018 -0500

    More doc on security level
    
    Inspired by https://github.com/openssl/web/pull/37 by Ben Kaduk

-----------------------------------------------------------------------

Summary of changes:
 docs/faq-4-build.txt | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/docs/faq-4-build.txt b/docs/faq-4-build.txt
index 55f7e85..7c16f52 100644
--- a/docs/faq-4-build.txt
+++ b/docs/faq-4-build.txt
@@ -177,12 +177,26 @@ Warning: known-insecure ciphers are disabled in newer releases of OpenSSL.
 There is good reason why these have been disabled by default. Consider upgrading
 to more robust options as these ciphers may only provide a facade of security.
 This option is not recommended for anyone other than maintainers of legacy
-applications.
+applications.  There are two parts to doing this.  First, you must configure
+with "enable-weak-ssl-ciphers."  This compiles the ciphers, but does not
+enable them at run-time; to do this you must set the "security level" flag.
+This can be done at build time to change the default, or it can be done at
+runtime to change it for particular SSL_CTX; see
+@@@https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html@@@
+for details.
 
-You must set the weak ciphers flag and override the default SECLEVEL with:
+In other words, you should do one of the following:
 
 <PRE>
     ./config enable-weak-ssl-ciphers -DOPENSSL_TLS_SECURITY_LEVEL=0
 </PRE>
 
-Then follow compilation/install procedure like normal...
+or
+
+<PRE>
+    # To configure and build
+    ./config enable-weak-ssl-ciphers
+
+    /* In your code */
+    SSL_CTX_set_security_level(ctx, 0);
+</PRE>

More information about the openssl-commits mailing list