Testing TLS 1.0 with OpenSSL master
Kurt Roeckx
kurt at roeckx.be
Tue Aug 25 12:50:57 UTC 2020
On Mon, Aug 24, 2020 at 01:38:41PM -0700, John Baldwin wrote:
> On 8/18/20 9:49 AM, Matt Caswell wrote:
> >
> >
> > On 17/08/2020 18:55, John Baldwin wrote:
> >> 1) Is 'auth_level' supposed to work for this? The CHANGES.md change
> >> references SSL_CTX_set_security_level and openssl(1) claims that
> >> '-auth_level' changes this? Is the CHANGES.md entry wrong and only
> >> SECLEVEL=0 for the ciphers work by design?
> >
> > openssl(1) says this about auth_level:
> >
> > "Set the certificate chain authentication security level to I<level>.
> > The authentication security level determines the acceptable signature
> > and public key strength when verifying certificate chains."
> >
> > However, the problem you are seeing is about *handshake* signatures
> > using SHA1 - so auth_level is not appropriate.
>
> I think what I found confusing is that later in the text it says this:
>
> "See SSL_CTX_set_security_level(3) for the definitions of the available
> levels."
>
> so I had assumed it was calling that function.
It calls X509_VERIFY_PARAM_set_auth_level(), which also says to
look at SSL_CTX_set_security_level().
If you call SSL_CTX_set_security_level(),
X509_VERIFY_PARAM_set_auth_level() will be called with the same
value.
Kurt
More information about the openssl-users
mailing list