Comment 2 for bug 1856428

James Henstridge (jamesh) wrote :

For anyone who finds this bug, and wonders about the "Users can override this behaviour with a config file" part, here's what I did to get an OpenSSL-using application to talk to an old server that only supported TLSv1 (in my case, an old Mumble server):

1. create an "openssl.cnf" file somewhere with the following contents:

    openssl_conf = openssl_init

    [openssl_init]
    ssl_conf = ssl_sect

    [ssl_sect]
    system_default = system_default_sect

    [system_default_sect]
    CipherString = DEFAULT@SECLEVEL=1

2. set the OPENSSL_CONF environment variable to this file's path when running the application.

I wouldn't recommend making the change to the global /etc/ssl/openssl.cnf, or setting $OPENSSL_CONF for situations where it isn't needed, since this does reduce the default security.