How to query current settings/policies?

Tomas Mraz tomas at
Tue Jun 22 12:53:07 UTC 2021

On Tue, 2021-06-22 at 14:12 +0200, Thomas Deutschmann wrote:
> Hi,
> with OpenSSL 3 defaulting to TLS security level 1, applications
> trying 
> to make a TLSv1/1.1 connection will fail.
> I wonder if there is a proper way to detect current security level.
> I.e. how about test suites which need to know if they have to skip a 
> test or not?
> For example, I am currently looking at MySQL which has a test to
> ensure, 
> that you are still able to connect to TLS 1.3 enabled server with 
> TLSv1/1.1: 
> The test already knows about the fact that system could have
> restricted 
> minimum TLS version, see 
> However, this solution isn't stable: It's just parsing some files
> from 
> hard coded paths (what about OPENSSL_CONF environment variable?) and 
> guesses.
> Furthermore it knows nothing about Gentoo Linux for example. But
> even 
> with Ubuntu, you could have a policy in place which overrides set 
> OPENSSL_TLS_SECURITY_LEVEL=2 from configure.
> Is there a way to use openssl CLI to query this information and
> allow 
> test suites for example to skip tests on a more reliable way? Or
> what's 
> the recommended way for tests?

There is already such feature request:

Unfortunately it was not implemented in time for beta1 so this is now
Post 3.0 item.

I would recommend explicitly setting security level 0 via a cipher
string when executing the test.

Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your

More information about the openssl-users mailing list