On Tue, Jun 22, 2021 at 02:53:07PM +0200, Tomas Mraz wrote: > On Tue, 2021-06-22 at 14:12 +0200, Thomas Deutschmann wrote: > > Hi, > > > > with OpenSSL 3 defaulting to TLS security level 1, applications > > trying > > to make a TLSv1/1.1 connection will fail. > > > > I wonder if there is a proper way to detect current security level. > > > > I.e. how about test suites which need to know if they have to skip a > > test or not? > > > > For example, I am currently looking at MySQL which has a test to > > ensure, > > that you are still able to connect to TLS 1.3 enabled server with > > TLSv1/1.1: > > https://github.com/mysql/mysql-server/blob/mysql-8.0.25/mysql-test/suite/auth_sec/t/tls13_tls1.test > > > > The test already knows about the fact that system could have > > restricted > > minimum TLS version, see > > https://github.com/mysql/mysql-server/blob/mysql-8.0.25/mysql-test/include/not_min_protocol_tlsv12.inc > > > > However, this solution isn't stable: It's just parsing some files > > from > > hard coded paths (what about OPENSSL_CONF environment variable?) and > > guesses. > > > > Furthermore it knows nothing about Gentoo Linux for example. But > > even > > with Ubuntu, you could have a policy in place which overrides set > > OPENSSL_TLS_SECURITY_LEVEL=2 from configure. > > > > Is there a way to use openssl CLI to query this information and > > allow > > test suites for example to skip tests on a more reliable way? Or > > what's > > the recommended way for tests? > > There is already such feature request: > https://github.com/openssl/openssl/issues/14570 > > Unfortunately it was not implemented in time for beta1 so this is now > Post 3.0 item. > > I would recommend explicitly setting security level 0 via a cipher > string when executing the test.
I second the motion. If a test is sensitive to some setting of the code under test, then the test should set it. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu
signature.asc
Description: PGP signature
