[Pkg-openssl-devel] Building alpha3 with -DOPENSSL_TLS_SECURITY_LEVEL=2
Kurt Roeckx
kurt at roeckx.be
Wed Jun 17 21:00:30 BST 2020
On Wed, Jun 17, 2020 at 09:58:20PM +0200, Sebastian Andrzej Siewior wrote:
> On 2020-06-17 21:50:49 [+0200], Kurt Roeckx wrote:
> > I wasn't expecting that patch to be applied during the test suite.
> > But I also think that any test suite error caused by it, is a bug
> > in the test suite that should get fixed. I'll see if I can find
> > some time for this.
>
> Ah. I could forward my current patch then.
>
> > > and the testsuite uses this .cnf as default and expects TLS<1.2. Then I
> > > remember what you were saying in #918727 reagarding the default level.
> > >
> > > I've been looking at setting
> > > -DOPENSSL_TLS_SECURITY_LEVEL=2
> > >
> > > at build time. This would match
> > > CipherString = DEFAULT at SECLEVEL=2
> > >
> > > just fine.
> > > However, for TLSv1.2 by default we would need security level 4
> > > (accodring to ssl_security_default_callback()).
> >
> > That says that if you set level 4, the TLS version needs to be 1.2
> > or higher.
>
> So how do we get DEFAULT at SECLEVEL=2 and MinProtocol = TLSv1.2 by default
> and so that it could be overriden?
The plan is to get older versions disabled by disabling SHA1 and
MD5 at security level 1.
Kurt
More information about the Pkg-openssl-devel
mailing list