Security Levels

OpenSSL supports the concept of security levels to specify groups of cipher suites and key strength behavior.

To check the different security levels on your system and the ciphers associated with them, at the command prompt, type:

openssl ciphers -s -v ALL;@SECLEVEL=<n>

Where:

<n>
Can be 0 through 5.

Security increases with the security level. Items such as MD5 signatures and other weak items such as broken cipher suites and low security keys will be rejected at higher security levels.

Most new products default to security level 1, including but not limited to recent updates of Java, Chrome, and Firefox.

The default TLS security level starting with release 6.0 is 1. When using the default TLS security options, some very old clients that are restricted to the use of short RSA keys will no longer be able to connect. To preserve the behavior of such clients, you can change the security level to 0. This, however, is a deprecated behavior is only available for backward compatibility.

If you are setting your own cipher suite collections then they will inherit the OpenSSL 3.0 security level 1 behavior unless you modify their cipher suite collection to enforce a security level of 0. You can do this by prefixing @SECLEVEL=0 to the cipher suite collection.

Note: The default Security Level will be increased to 2 (@SECLEVEL=2) in the 10 release of Visual COBOL for Visual Studio.

With OpenSSL 3.0, security level 1 disables SSL and TLS versions prior to TLS 1.2, and will also prevent connections from TLS 1.2 clients which do not send the signature algorithms extension. Set security level 0 (@SECLEVEL=0) to permit interoperability with older TLS versions and clients.

Example Security Level 0

@SECLEVEL=0 kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM !3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP

Example Security Level 1

@SECLEVEL=1 kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM !3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP
This matches the default configuration.