Testing TLS 1.0 with OpenSSL master

John Baldwin jhb at FreeBSD.org
Mon Aug 24 20:38:41 UTC 2020

On 8/18/20 9:49 AM, Matt Caswell wrote:
> On 17/08/2020 18:55, John Baldwin wrote:
>> 1) Is 'auth_level' supposed to work for this?  The CHANGES.md change
>>    references SSL_CTX_set_security_level and openssl(1) claims that
>>    '-auth_level' changes this?  Is the CHANGES.md entry wrong and only
>>    SECLEVEL=0 for the ciphers work by design?
> openssl(1) says this about auth_level:
> "Set the certificate chain authentication security level to I<level>.
> The authentication security level determines the acceptable signature
> and public key strength when verifying certificate chains."
> However, the problem you are seeing is about *handshake* signatures
> using SHA1 - so auth_level is not appropriate.

I think what I found confusing is that later in the text it says this:

"See SSL_CTX_set_security_level(3) for the definitions of the available

so I had assumed it was calling that function.

>> 2) The hang when using a 'master' client seems like a regression?
> Fix for this issue here:
> https://github.com/openssl/openssl/pull/12670


John Baldwin

More information about the openssl-users mailing list