On Mon, May 11, 2020 at 05:01:27PM +0900, NAKANO Takuho wrote:
> Hello,
>
> I've found SSL_CTX_set_ssl_version changes security level:
>
> =====
> int main(void){
> int i;
> struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method());
>
> printf("seclevel: %d\n", SSL_CTX_get_security_level(ctx));
> // 0--5 any
>
> i = SSL_CTX_set_ssl_version(ctx, SSLv23_client_method());
> printf("SSL_CTX_set_ssl_version result: %d\n", i);
> // i ==1; success
>
> printf("seclevel: %d\n", SSL_CTX_get_security_level(ctx));
> // result 2
>
> return 0;
> }
> =====
>
> OS: CentOS 8
> OpenSSL 1.1.1c FIPS 28 May 2019
>
> Are there any reasons?
> I know SSLv23_method is deprecated. That does not matter.
Note that SSL_CTX_set_ssl_version() has to re-set the cipher list
to filter out ciphers unsupported by the new version. It uses
the default cipher list as its starting point, which I assume on
EL8 includes the security level in the cipher string.
You can set the cipher list (and security level) back to what you
want afterward, but I note that this behavior is a result of the
OS-vendor customization and not inherent to openssl.
-Ben
