Re: SSL_CTX_set_ssl_version changes security level
> https://src.fedoraproject.org/rpms/openssl/blob/master/f/openssl-1.1.1-system-cipherlist.patch > suggests (the ssl.h chunk) that this patch does force the use of the "system > profile" as the default cipher list. https://src.fedoraproject.org/rpms/openssl/blob/master/f/openssl.spec "./Configure" with option below: --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config this path is where I pointed. Takuho
Re: SSL_CTX_set_ssl_version changes security level
On Tue, May 12, 2020 at 05:22:29AM +0900, NAKANO Takuho wrote: > 2020年5月12日(火) 0:31 Benjamin Kaduk : > > > OS-vendor customization > > Thank you. That's very helpful. I get how to configure (but don't know > why...). > > On CentOS 8: > First result of SSL_CTX_get_security_level depends on > A: /etc/pki/tls/openssl.cnf . > > To be more precise, set "CipherString = @SECLEVEL=5:..." > or "CipherString = @SECLEVEL=0:..." in > B: /etc/crypto-policies/back-ends/opensslcnf.config > that is included by A. > > *BUT* second result of SSL_CTX_get_security_level depends on > C: /etc/crypto-policies/back-ends/openssl.config > (I assume SSL_CTX_set_ssl_version internally refer this file). > File C has a single line beginning with: > @SECLEVEL=2:kEECDH:.. > If I change this level, the second result changes. > Maybe it's on RHEL8 patch (system-cipherlist.patch). https://src.fedoraproject.org/rpms/openssl/blob/master/f/openssl-1.1.1-system-cipherlist.patch suggests (the ssl.h chunk) that this patch does force the use of the "system profile" as the default cipher list. -Ben
Re: SSL_CTX_set_ssl_version changes security level
2020年5月12日(火) 0:31 Benjamin Kaduk : > > On Mon, May 11, 2020 at 05:01:27PM +0900, NAKANO Takuho wrote: > > Hello, > > > > I've found SSL_CTX_set_ssl_version changes security level: > > > > = > > int main(void){ > > int i; > > struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method()); > > > > printf("seclevel: %d\n", SSL_CTX_get_security_level(ctx)); > > // 0--5 any > > > > i = SSL_CTX_set_ssl_version(ctx, SSLv23_client_method()); > > printf("SSL_CTX_set_ssl_version result: %d\n", i); > > // i ==1; success > > > > printf("seclevel: %d\n", SSL_CTX_get_security_level(ctx)); > > // result 2 > > > > return 0; > > } > > = > > > > OS: CentOS 8 > > OpenSSL 1.1.1c FIPS 28 May 2019 > > > > Are there any reasons? > > I know SSLv23_method is deprecated. That does not matter. > > Note that SSL_CTX_set_ssl_version() has to re-set the cipher list > to filter out ciphers unsupported by the new version. It uses > the default cipher list as its starting point, which I assume on > EL8 includes the security level in the cipher string. > You can set the cipher list (and security level) back to what you > want afterward, but I note that this behavior is a result of the > OS-vendor customization and not inherent to openssl. > OS-vendor customization Thank you. That's very helpful. I get how to configure (but don't know why...). On CentOS 8: First result of SSL_CTX_get_security_level depends on A: /etc/pki/tls/openssl.cnf . To be more precise, set "CipherString = @SECLEVEL=5:..." or "CipherString = @SECLEVEL=0:..." in B: /etc/crypto-policies/back-ends/opensslcnf.config that is included by A. *BUT* second result of SSL_CTX_get_security_level depends on C: /etc/crypto-policies/back-ends/openssl.config (I assume SSL_CTX_set_ssl_version internally refer this file). File C has a single line beginning with: @SECLEVEL=2:kEECDH:.. If I change this level, the second result changes. Maybe it's on RHEL8 patch (system-cipherlist.patch). If I tried on Ubuntu 18.04 with "OpenSSL 1.1.1d 10 Sep 2019", security level diddn't change. Regards, Takuho
Re: SSL_CTX_set_ssl_version changes security level
On Mon, May 11, 2020 at 05:01:27PM +0900, NAKANO Takuho wrote: > Hello, > > I've found SSL_CTX_set_ssl_version changes security level: > > = > int main(void){ > int i; > struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method()); > > printf("seclevel: %d\n", SSL_CTX_get_security_level(ctx)); > // 0--5 any > > i = SSL_CTX_set_ssl_version(ctx, SSLv23_client_method()); > printf("SSL_CTX_set_ssl_version result: %d\n", i); > // i ==1; success > > printf("seclevel: %d\n", SSL_CTX_get_security_level(ctx)); > // result 2 > > return 0; > } > = > > OS: CentOS 8 > OpenSSL 1.1.1c FIPS 28 May 2019 > > Are there any reasons? > I know SSLv23_method is deprecated. That does not matter. Note that SSL_CTX_set_ssl_version() has to re-set the cipher list to filter out ciphers unsupported by the new version. It uses the default cipher list as its starting point, which I assume on EL8 includes the security level in the cipher string. You can set the cipher list (and security level) back to what you want afterward, but I note that this behavior is a result of the OS-vendor customization and not inherent to openssl. -Ben
SSL_CTX_set_ssl_version changes security level
Hello, I've found SSL_CTX_set_ssl_version changes security level: = int main(void){ int i; struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method()); printf("seclevel: %d\n", SSL_CTX_get_security_level(ctx)); // 0--5 any i = SSL_CTX_set_ssl_version(ctx, SSLv23_client_method()); printf("SSL_CTX_set_ssl_version result: %d\n", i); // i ==1; success printf("seclevel: %d\n", SSL_CTX_get_security_level(ctx)); // result 2 return 0; } = OS: CentOS 8 OpenSSL 1.1.1c FIPS 28 May 2019 Are there any reasons? I know SSLv23_method is deprecated. That does not matter. Regards, Takuho