How to query current settings/policies?

Mark H. Wood mwood at iupui.edu
Tue Jun 22 13:09:57 UTC 2021 

On Tue, Jun 22, 2021 at 02:53:07PM +0200, Tomas Mraz wrote:
> On Tue, 2021-06-22 at 14:12 +0200, Thomas Deutschmann wrote:
> > Hi,
> > 
> > with OpenSSL 3 defaulting to TLS security level 1, applications
> > trying 
> > to make a TLSv1/1.1 connection will fail.
> > 
> > I wonder if there is a proper way to detect current security level.
> > 
> > I.e. how about test suites which need to know if they have to skip a 
> > test or not?
> > 
> > For example, I am currently looking at MySQL which has a test to
> > ensure, 
> > that you are still able to connect to TLS 1.3 enabled server with 
> > TLSv1/1.1: 
> > https://github.com/mysql/mysql-server/blob/mysql-8.0.25/mysql-test/suite/auth_sec/t/tls13_tls1.test
> > 
> > The test already knows about the fact that system could have
> > restricted 
> > minimum TLS version, see 
> > https://github.com/mysql/mysql-server/blob/mysql-8.0.25/mysql-test/include/not_min_protocol_tlsv12.inc
> > 
> > However, this solution isn't stable: It's just parsing some files
> > from 
> > hard coded paths (what about OPENSSL_CONF environment variable?) and 
> > guesses.
> > 
> > Furthermore it knows nothing about Gentoo Linux for example. But
> > even 
> > with Ubuntu, you could have a policy in place which overrides set 
> > OPENSSL_TLS_SECURITY_LEVEL=2 from configure.
> > 
> > Is there a way to use openssl CLI to query this information and
> > allow 
> > test suites for example to skip tests on a more reliable way? Or
> > what's 
> > the recommended way for tests?
> 
> There is already such feature request:
> https://github.com/openssl/openssl/issues/14570
> 
> Unfortunately it was not implemented in time for beta1 so this is now
> Post 3.0 item.
> 
> I would recommend explicitly setting security level 0 via a cipher
> string when executing the test.

I second the motion.  If a test is sensitive to some setting of the
code under test, then the test should set it.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210622/5f73c656/attachment.sig>

More information about the openssl-users mailing list