On Mon, Aug 24, 2020 at 01:38:41PM -0700, John Baldwin wrote: > On 8/18/20 9:49 AM, Matt Caswell wrote: > > > > > > On 17/08/2020 18:55, John Baldwin wrote: > >> 1) Is 'auth_level' supposed to work for this? The CHANGES.md change > >> references SSL_CTX_set_security_level and openssl(1) claims that > >> '-auth_level' changes this? Is the CHANGES.md entry wrong and only > >> SECLEVEL=0 for the ciphers work by design? > > > > openssl(1) says this about auth_level: > > > > "Set the certificate chain authentication security level to I<level>. > > The authentication security level determines the acceptable signature > > and public key strength when verifying certificate chains." > > > > However, the problem you are seeing is about *handshake* signatures > > using SHA1 - so auth_level is not appropriate. > > I think what I found confusing is that later in the text it says this: > > "See SSL_CTX_set_security_level(3) for the definitions of the available > levels." > > so I had assumed it was calling that function. It calls X509_VERIFY_PARAM_set_auth_level(), which also says to look at SSL_CTX_set_security_level(). If you call SSL_CTX_set_security_level(), X509_VERIFY_PARAM_set_auth_level() will be called with the same value. Kurt
