Thank you for the information, Heikki. I understood from the RedHat documentation you pointed out that no matter what crypto policy I specify, I cannot use TLSv1.1 or earlier on RHEL9. On the other hand, I have confirmed that connections using TLSv1.1 or earlier are possible even on RHEL9 by using the package "compat-openssl11". I suspect that this is not covered by the crypto policy. I would like to report this with gratitude. Kind regards, Yuko Doki -----Original Message----- From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Heikki Vatiainen Sent: Monday, April 22, 2024 5:22 PM To: openssl-users@xxxxxxxxxxx Subject: Re: TLSv1.0 on OpenSSL 3.0-API (looking for answers) On 22.4.2024 11.01, Yuko Doki (Fujitsu) via openssl-users wrote: > I have not configured any providers, so the default provider will be used. > > When using RedHat Linux distribution, "@SECLEVEL=0" did not seem to work. > The versions are as follows. > OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022) > Will changing the provider in the file "openssl.cnf" have any effect? > > I also tried with OpenSSL built from the source downloaded from "https://www.openssl.org/source/";, on Solaris. > This time, adding "@SECLEVEL=0" was effect, the TLS1.0 connection was successful. > The versions are as follows. > OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) > > This problem seems to occur only in the RedHat distribution, so it might be better to ask RedHat. See RedHat documentation about their system-wide crypto policies: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening There's, for example, a table that tells that TLSv1.1 and earlier are not enabled by default. With RHEL 8 they could be enabled, but with 9 it seems the can not. Even with command 'update-crypto-policies' it appears not possible to enable TLSv1.0. Please let us know how it goes, Heikki -- Heikki Vatiainen OSC, makers of Radiator Visit radiatorsoftware.com for Radiator AAA server software
