Hi,with OpenSSL 3 defaulting to TLS security level 1, applications trying to make a TLSv1/1.1 connection will fail.
I wonder if there is a proper way to detect current security level.I.e. how about test suites which need to know if they have to skip a test or not?
For example, I am currently looking at MySQL which has a test to ensure, that you are still able to connect to TLS 1.3 enabled server with TLSv1/1.1: https://github.com/mysql/mysql-server/blob/mysql-8.0.25/mysql-test/suite/auth_sec/t/tls13_tls1.test
The test already knows about the fact that system could have restricted minimum TLS version, see https://github.com/mysql/mysql-server/blob/mysql-8.0.25/mysql-test/include/not_min_protocol_tlsv12.inc
However, this solution isn't stable: It's just parsing some files from hard coded paths (what about OPENSSL_CONF environment variable?) and guesses.
Furthermore it knows nothing about Gentoo Linux for example. But even with Ubuntu, you could have a policy in place which overrides set OPENSSL_TLS_SECURITY_LEVEL=2 from configure.
Is there a way to use openssl CLI to query this information and allow test suites for example to skip tests on a more reliable way? Or what's the recommended way for tests?
-- Regards, Thomas Deutschmann / Gentoo Linux Developer fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
