How to query current settings/policies?
Tomas Mraz
tomas at openssl.org
Tue Jun 22 12:53:07 UTC 2021
On Tue, 2021-06-22 at 14:12 +0200, Thomas Deutschmann wrote:
> Hi,
>
> with OpenSSL 3 defaulting to TLS security level 1, applications
> trying
> to make a TLSv1/1.1 connection will fail.
>
> I wonder if there is a proper way to detect current security level.
>
> I.e. how about test suites which need to know if they have to skip a
> test or not?
>
> For example, I am currently looking at MySQL which has a test to
> ensure,
> that you are still able to connect to TLS 1.3 enabled server with
> TLSv1/1.1:
> https://github.com/mysql/mysql-server/blob/mysql-8.0.25/mysql-test/suite/auth_sec/t/tls13_tls1.test
>
> The test already knows about the fact that system could have
> restricted
> minimum TLS version, see
> https://github.com/mysql/mysql-server/blob/mysql-8.0.25/mysql-test/include/not_min_protocol_tlsv12.inc
>
> However, this solution isn't stable: It's just parsing some files
> from
> hard coded paths (what about OPENSSL_CONF environment variable?) and
> guesses.
>
> Furthermore it knows nothing about Gentoo Linux for example. But
> even
> with Ubuntu, you could have a policy in place which overrides set
> OPENSSL_TLS_SECURITY_LEVEL=2 from configure.
>
> Is there a way to use openssl CLI to query this information and
> allow
> test suites for example to skip tests on a more reliable way? Or
> what's
> the recommended way for tests?
There is already such feature request:
https://github.com/openssl/openssl/issues/14570
Unfortunately it was not implemented in time for beta1 so this is now
Post 3.0 item.
I would recommend explicitly setting security level 0 via a cipher
string when executing the test.
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]
More information about the openssl-users
mailing list