SSL_CTX_set_ssl_version changes security level

Benjamin Kaduk bkaduk at
Mon May 11 20:37:51 UTC 2020

On Tue, May 12, 2020 at 05:22:29AM +0900, NAKANO Takuho wrote:
> 2020年5月12日(火) 0:31 Benjamin Kaduk <bkaduk at>:
> > OS-vendor customization
> Thank you. That's very helpful. I get how to configure (but don't know why...).
> On CentOS 8:
> First result of SSL_CTX_get_security_level depends on
> A: /etc/pki/tls/openssl.cnf .
> To be more precise, set "CipherString = @SECLEVEL=5:..."
> or "CipherString = @SECLEVEL=0:..." in
> B: /etc/crypto-policies/back-ends/opensslcnf.config
> that is included by A.
> *BUT* second result of SSL_CTX_get_security_level depends on
> C: /etc/crypto-policies/back-ends/openssl.config
> (I assume SSL_CTX_set_ssl_version internally refer this file).
> File C has a single line beginning with:
> If I change this level, the second result changes.
> Maybe it's on RHEL8 patch (system-cipherlist.patch).
suggests (the ssl.h chunk) that this patch does force the use of the "system
profile" as the default cipher list.


More information about the openssl-users mailing list