How to query current settings/policies?
Thomas Deutschmann
whissi at gentoo.org
Tue Jun 22 12:12:28 UTC 2021
Hi,
with OpenSSL 3 defaulting to TLS security level 1, applications trying
to make a TLSv1/1.1 connection will fail.
I wonder if there is a proper way to detect current security level.
I.e. how about test suites which need to know if they have to skip a
test or not?
For example, I am currently looking at MySQL which has a test to ensure,
that you are still able to connect to TLS 1.3 enabled server with
TLSv1/1.1:
https://github.com/mysql/mysql-server/blob/mysql-8.0.25/mysql-test/suite/auth_sec/t/tls13_tls1.test
The test already knows about the fact that system could have restricted
minimum TLS version, see
https://github.com/mysql/mysql-server/blob/mysql-8.0.25/mysql-test/include/not_min_protocol_tlsv12.inc
However, this solution isn't stable: It's just parsing some files from
hard coded paths (what about OPENSSL_CONF environment variable?) and
guesses.
Furthermore it knows nothing about Gentoo Linux for example. But even
with Ubuntu, you could have a policy in place which overrides set
OPENSSL_TLS_SECURITY_LEVEL=2 from configure.
Is there a way to use openssl CLI to query this information and allow
test suites for example to skip tests on a more reliable way? Or what's
the recommended way for tests?
--
Regards,
Thomas Deutschmann / Gentoo Linux Developer
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210622/44fd4344/attachment.sig>
More information about the openssl-users
mailing list