On Mon, Sep 26, 2022 at 10:46:40AM -0400, Felipe Gasper wrote:
> > The security levels are documented. You can set the security level
> > in the cipher string:
> >
> > DEFAULT:@SECLEVEL=1
> >
> > or via the API.
>
> Ahh, OK. Indeed, when I set that as the cipher string the error goes away. Thank you!
You can, if you wish, change the default security level in openssl.cnf.
IIRC the default from the upstream OpenSSL software is 1. If your
system default is 2 or higher, that was done by your OS package
maintainers.
> I see that the API exposes SSL_CTX_get_security_level(); is that the
> best way to determine minimum RSA key size, or would there be anything
> more explicit?
The documentation for that function reads in part:
Level 0
Everything is permitted. This retains compatibility with
previous versions of OpenSSL.
Level 1
The security level corresponds to a minimum of 80 bits of
security. Any parameters offering below 80 bits of security are
excluded. As a result RSA, DSA and DH keys shorter than 1024
bits and ECC keys shorter than 160 bits are prohibited. Any
cipher suite using MD5 for the MAC is also prohibited. Any
cipher suites using CCM with a 64 bit authentication tag are
prohibited. Note that signatures using SHA1 and MD5 are also
forbidden at this level as they have less than 80 security bits.
Additionally, SSLv3, TLS 1.0, TLS 1.1 and DTLS 1.0 are all
disabled at this level.
Level 2
Security level set to 112 bits of security. As a result RSA, DSA
and DH keys shorter than 2048 bits and ECC keys shorter than 224
bits are prohibited. In addition to the level 1 exclusions any
cipher suite using RC4 is also prohibited. Compression is
disabled.
Level 3
Security level set to 128 bits of security. As a result RSA, DSA
and DH keys shorter than 3072 bits and ECC keys shorter than 256
bits are prohibited. In addition to the level 2 exclusions
cipher suites not offering forward secrecy are prohibited.
Session tickets are disabled.
Level 4
Security level set to 192 bits of security. As a result RSA, DSA
and DH keys shorter than 7680 bits and ECC keys shorter than 384
bits are prohibited. Cipher suites using SHA1 for the MAC are
prohibited.
Level 5
Security level set to 256 bits of security. As a result RSA, DSA
and DH keys shorter than 15360 bits and ECC keys shorter than
512 bits are prohibited.
Levels 4 and 5 are tantamount to making RSA and DSA unavailable. Even
level 3 is too distruptive for interoperable use on the public Internet.
As you observed, Level 2 disables 1024-bit RSA. The symmetric
equivalent bit strength of a particular public key can be queried via:
EVP_PKEY_security_bits(3):
EVP_PKEY_security_bits() returns the number of security bits of the
given pkey, bits of security is defined in NIST SP800-57.
--
Viktor.
