On 8/18/20 9:49 AM, Matt Caswell wrote: > > > On 17/08/2020 18:55, John Baldwin wrote: >> 1) Is 'auth_level' supposed to work for this? The CHANGES.md change >> references SSL_CTX_set_security_level and openssl(1) claims that >> '-auth_level' changes this? Is the CHANGES.md entry wrong and only >> SECLEVEL=0 for the ciphers work by design? > > openssl(1) says this about auth_level: > > "Set the certificate chain authentication security level to I<level>. > The authentication security level determines the acceptable signature > and public key strength when verifying certificate chains." > > However, the problem you are seeing is about *handshake* signatures > using SHA1 - so auth_level is not appropriate. I think what I found confusing is that later in the text it says this: "See SSL_CTX_set_security_level(3) for the definitions of the available levels." so I had assumed it was calling that function. >> 2) The hang when using a 'master' client seems like a regression? >> > > Fix for this issue here: > > https://github.com/openssl/openssl/pull/12670 Thanks! -- John Baldwin
