On Tue, 2021-06-22 at 14:12 +0200, Thomas Deutschmann wrote: > Hi, > > with OpenSSL 3 defaulting to TLS security level 1, applications > trying > to make a TLSv1/1.1 connection will fail. > > I wonder if there is a proper way to detect current security level. > > I.e. how about test suites which need to know if they have to skip a > test or not? > > For example, I am currently looking at MySQL which has a test to > ensure, > that you are still able to connect to TLS 1.3 enabled server with > TLSv1/1.1: > https://github.com/mysql/mysql-server/blob/mysql-8.0.25/mysql-test/suite/auth_sec/t/tls13_tls1.test > > The test already knows about the fact that system could have > restricted > minimum TLS version, see > https://github.com/mysql/mysql-server/blob/mysql-8.0.25/mysql-test/include/not_min_protocol_tlsv12.inc > > However, this solution isn't stable: It's just parsing some files > from > hard coded paths (what about OPENSSL_CONF environment variable?) and > guesses. > > Furthermore it knows nothing about Gentoo Linux for example. But > even > with Ubuntu, you could have a policy in place which overrides set > OPENSSL_TLS_SECURITY_LEVEL=2 from configure. > > Is there a way to use openssl CLI to query this information and > allow > test suites for example to skip tests on a more reliable way? Or > what's > the recommended way for tests? There is already such feature request: https://github.com/openssl/openssl/issues/14570 Unfortunately it was not implemented in time for beta1 so this is now Post 3.0 item. I would recommend explicitly setting security level 0 via a cipher string when executing the test. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.]
