How to query current settings/policies?

Thomas Deutschmann whissi at
Tue Jun 22 12:12:28 UTC 2021


with OpenSSL 3 defaulting to TLS security level 1, applications trying 
to make a TLSv1/1.1 connection will fail.

I wonder if there is a proper way to detect current security level.

I.e. how about test suites which need to know if they have to skip a 
test or not?

For example, I am currently looking at MySQL which has a test to ensure, 
that you are still able to connect to TLS 1.3 enabled server with 

The test already knows about the fact that system could have restricted 
minimum TLS version, see

However, this solution isn't stable: It's just parsing some files from 
hard coded paths (what about OPENSSL_CONF environment variable?) and 

Furthermore it knows nothing about Gentoo Linux for example. But even 
with Ubuntu, you could have a policy in place which overrides set 

Is there a way to use openssl CLI to query this information and allow 
test suites for example to skip tests on a more reliable way? Or what's 
the recommended way for tests?

Thomas Deutschmann / Gentoo Linux Developer
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the openssl-users mailing list