Question about handshake error

Niki Dinsey niki.dinsey at
Wed Mar 11 17:08:49 UTC 2020

Thanks Matt for your reply earlier, following your advice I've edited the
following line in my openssl.cnf file:

CipherString = DEFAULT at SECLEVEL=1

and it now works in s_client and curl:

niks at DESKTOP-O2VP5O2:/etc/ssl$ curl
DAY 2020","webDescriptionOverride":"GIVING DAY

Thanks so much for the help resolving the issue.

As for going back to the software vendor, I absolutely want to but don't
hold out too much hope they will change anything.
I'm basically going to say this:

The certificate chain contains two redundant root certificates, these
should be removed as there is no need to send root certificates and because
they are signed with SHA1 stricter servers like Debian are dropping the

Does that sound about right?

As for the conversation with Viktor, it's all over my head! Can I just
ignore and get back to work? Thanks again


On Wed, 11 Mar 2020 at 15:33, Viktor Dukhovni <openssl-users at>

> On Wed, Mar 11, 2020 at 11:31:51AM -0400, Viktor Dukhovni wrote:
> > I think the server could be OpenSSL, because why I made sure that
> s/why/while/.
> > self-signed CA signatures are not subjected to security levels in
> > x509_vfy.c, the same exclusion does not appear to be present in:
> >
> >     int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int
> is_ee)
> > [...]
> --
>     Viktor.

Niki Dinsey
IS Manager
07974 214718
01235 849061 (x261)

Save the date: Abingdon's first 24hr *Giving Day - 18 March 2020*.Help 
support our ambition to double the number of bursaries across the 



Abingdon School: A company limited by guarantee Registered in England and 
Wales. Company No. 3625063 
Registered Office: 
Abingdon School 
OX14 1DE 
Registered Charity No. 1071298
All information 
in this message and attachments is confidential and may be legally 
privileged. Only intended recipients are authorised to use it. E-mail 
transmissions are not guaranteed to be secure or error free and the sender 
does not accept liability for such errors or omissions. The company will 
not accept any liability in respect of such communication that violates our 
ICT policies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list