On Tue, May 12, 2020 at 05:22:29AM +0900, NAKANO Takuho wrote: > 2020年5月12日(火) 0:31 Benjamin Kaduk <bkaduk@xxxxxxxxxx>: > > > OS-vendor customization > > Thank you. That's very helpful. I get how to configure (but don't know why...). > > On CentOS 8: > First result of SSL_CTX_get_security_level depends on > A: /etc/pki/tls/openssl.cnf . > > To be more precise, set "CipherString = @SECLEVEL=5:..." > or "CipherString = @SECLEVEL=0:..." in > B: /etc/crypto-policies/back-ends/opensslcnf.config > that is included by A. > > *BUT* second result of SSL_CTX_get_security_level depends on > C: /etc/crypto-policies/back-ends/openssl.config > (I assume SSL_CTX_set_ssl_version internally refer this file). > File C has a single line beginning with: > @SECLEVEL=2:kEECDH:.. > If I change this level, the second result changes. > Maybe it's on RHEL8 patch (system-cipherlist.patch). https://src.fedoraproject.org/rpms/openssl/blob/master/f/openssl-1.1.1-system-cipherlist.patch suggests (the ssl.h chunk) that this patch does force the use of the "system profile" as the default cipher list. -Ben