From 6ea307b0734aaeb87d422c47e35d6363a0a7c760 Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Wed, 3 Jan 2018 11:27:33 -0500 Subject: [PATCH] More doc on security level Inspired by https://github.com/openssl/web/pull/37 by Ben Kaduk --- docs/faq-4-build.txt | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/docs/faq-4-build.txt b/docs/faq-4-build.txt index 55f7e85..7c16f52 100644 --- a/docs/faq-4-build.txt +++ b/docs/faq-4-build.txt @@ -177,12 +177,26 @@ Warning: known-insecure ciphers are disabled in newer releases of OpenSSL. There is good reason why these have been disabled by default. Consider upgrading to more robust options as these ciphers may only provide a facade of security. This option is not recommended for anyone other than maintainers of legacy -applications. +applications. There are two parts to doing this. First, you must configure +with "enable-weak-ssl-ciphers." This compiles the ciphers, but does not +enable them at run-time; to do this you must set the "security level" flag. +This can be done at build time to change the default, or it can be done at +runtime to change it for particular SSL_CTX; see +@@@https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html@@@ +for details. -You must set the weak ciphers flag and override the default SECLEVEL with: +In other words, you should do one of the following: 
     ./config enable-weak-ssl-ciphers -DOPENSSL_TLS_SECURITY_LEVEL=0
-Then follow compilation/install procedure like normal... +or + +
+    # To configure and build
+    ./config enable-weak-ssl-ciphers
+
+    /* In your code */
+    SSL_CTX_set_security_level(ctx, 0);
+
-- 2.34.1