> On Sep 26, 2022, at 11:47, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote: > > On Mon, Sep 26, 2022 at 10:46:40AM -0400, Felipe Gasper wrote: > >>> The security levels are documented. You can set the security level >>> in the cipher string: >>> >>> DEFAULT:@SECLEVEL=1 >>> >>> or via the API. >> >> Ahh, OK. Indeed, when I set that as the cipher string the error goes away. Thank you! > > You can, if you wish, change the default security level in openssl.cnf. > IIRC the default from the upstream OpenSSL software is 1. If your > system default is 2 or higher, that was done by your OS package > maintainers. > >> I see that the API exposes SSL_CTX_get_security_level(); is that the >> best way to determine minimum RSA key size, or would there be anything >> more explicit? > > The documentation for that function reads in part: > > Level 0 > Everything is permitted. This retains compatibility with > previous versions of OpenSSL. > > Level 1 > The security level corresponds to a minimum of 80 bits of > security. Any parameters offering below 80 bits of security are > excluded. As a result RSA, DSA and DH keys shorter than 1024 > bits and ECC keys shorter than 160 bits are prohibited. Any > cipher suite using MD5 for the MAC is also prohibited. Any > cipher suites using CCM with a 64 bit authentication tag are > prohibited. Note that signatures using SHA1 and MD5 are also > forbidden at this level as they have less than 80 security bits. > Additionally, SSLv3, TLS 1.0, TLS 1.1 and DTLS 1.0 are all > disabled at this level. > > Level 2 > Security level set to 112 bits of security. As a result RSA, DSA > and DH keys shorter than 2048 bits and ECC keys shorter than 224 > bits are prohibited. In addition to the level 1 exclusions any > cipher suite using RC4 is also prohibited. Compression is > disabled. > > Level 3 > Security level set to 128 bits of security. As a result RSA, DSA > and DH keys shorter than 3072 bits and ECC keys shorter than 256 > bits are prohibited. In addition to the level 2 exclusions > cipher suites not offering forward secrecy are prohibited. > Session tickets are disabled. > > Level 4 > Security level set to 192 bits of security. As a result RSA, DSA > and DH keys shorter than 7680 bits and ECC keys shorter than 384 > bits are prohibited. Cipher suites using SHA1 for the MAC are > prohibited. > > Level 5 > Security level set to 256 bits of security. As a result RSA, DSA > and DH keys shorter than 15360 bits and ECC keys shorter than > 512 bits are prohibited. > > Levels 4 and 5 are tantamount to making RSA and DSA unavailable. Even > level 3 is too distruptive for interoperable use on the public Internet. > > As you observed, Level 2 disables 1024-bit RSA. The symmetric > equivalent bit strength of a particular public key can be queried via: > EVP_PKEY_security_bits(3): > > EVP_PKEY_security_bits() returns the number of security bits of the > given pkey, bits of security is defined in NIST SP800-57. Thank you! It sounds like I’ll still need to hard code the correlation between security level and minimum security bits (i.e., as I see OpenSSL does in multiple locations), but that’s pretty trivial. cheers, -Felipe
