On Mon, 2020-05-11 at 13:37 -0700, Benjamin Kaduk via openssl-users wrote: > On Tue, May 12, 2020 at 05:22:29AM +0900, NAKANO Takuho wrote: > > 2020年5月12日(火) 0:31 Benjamin Kaduk <bkaduk@xxxxxxxxxx>: > > > > > OS-vendor customization > > > > Thank you. That's very helpful. I get how to configure (but don't > > know why...). > > > > On CentOS 8: > > First result of SSL_CTX_get_security_level depends on > > A: /etc/pki/tls/openssl.cnf . > > > > To be more precise, set "CipherString = @SECLEVEL=5:..." > > or "CipherString = @SECLEVEL=0:..." in > > B: /etc/crypto-policies/back-ends/opensslcnf.config > > that is included by A. > > > > *BUT* second result of SSL_CTX_get_security_level depends on > > C: /etc/crypto-policies/back-ends/openssl.config > > (I assume SSL_CTX_set_ssl_version internally refer this file). > > File C has a single line beginning with: > > @SECLEVEL=2:kEECDH:.. > > If I change this level, the second result changes. > > Maybe it's on RHEL8 patch (system-cipherlist.patch). > > https://src.fedoraproject.org/rpms/openssl/blob/master/f/openssl-1.1.1-system-cipherlist.patch > suggests (the ssl.h chunk) that this patch does force the use of the > "system > profile" as the default cipher list. Yes, on Fedora/RHEL 8 you need to replace the cipher strings in both /etc/crypto-policies/back-ends/openssl.config and /etc/crypto- policies/back-ends/opensslcnf.config config files or you have to override the cipher string with a non-default one from the application. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.]
