Closed PSanetra closed 1 day ago
ghen2
commented
1 year ago Does it work if you append :@SECLEVEL=0 to your cipher string?
This may have more implications than just re-enabling TLSv1.0 and 1.1 (or rather: SHA1 and MD5 signature algorithms, used by these protocols) though, depending on the OpenSSL version. See man SSL_CTX_set_security_level(3) on the same machine.
gstrauss
commented
1 month ago @SECLEVEL=0 at the beginning of the cipher string for openssl 3.0.0 and later, for ssl-config-generator Old configuration (which uses TLSv1 and TLSv1.1)gstrauss
commented
1 month ago From https://docs.openssl.org/master/man3/SSL_CTX_set_security_level/
Level 0 Everything is permitted. This retains compatibility with previous versions of OpenSSL.
Level 1 The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. Any cipher suite using MD5 for the MAC is also prohibited. Any cipher suites using CCM with a 64 bit authentication tag are prohibited. Note that signatures using SHA1 and MD5 are also forbidden at this level as they have less than 80 security bits. Additionally, SSLv3, TLS 1.0, TLS 1.1 and DTLS 1.0 are all disabled at this level.
Support for TLS 1.1 and lower was moved to security level 0 in OpenSSL 3.0.1. This implies by default usually those protocolls will not be supported without further configuration.
Reproduce
The configuration will generate a nginx configuration that lists TLS 1.1 and 1.0, but those protocols will usually not work when OpenSSL 3.0.1 or higher is used at the same time.
Starting an nginx server with this configuration and issuing a TLS 1.1 or TLS 1.0 request against it will result in a SSL error like the following:
Related: https://github.com/nginxinc/docker-nginx/issues/743