diff options
| author | Pauli <pauli@openssl.org> | 2022-05-06 10:42:16 +1000 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2022-11-21 10:49:51 +0100 |
| commit | 0f6ff63bdf3d83eaa7c00ef100ff570618d1768b (patch) | |
| tree | a2d774b128b36f49ae76fbd562e4f44a9b23e86a /doc/man3 | |
| parent | a8b6c9f83ce49b6192137c7600532441db885e19 (diff) | |
doc: add not that DTLS 1.0, TLS 1.1 and before are disabled at security level 1
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18236)
(cherry picked from commit 54b0c534eeb283878092e006e7f1e9315ec62ad6)
Diffstat (limited to 'doc/man3')
| -rw-r--r-- | doc/man3/SSL_CTX_set_security_level.pod | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod index a459549001..54ef35b630 100644 --- a/doc/man3/SSL_CTX_set_security_level.pod +++ b/doc/man3/SSL_CTX_set_security_level.pod @@ -79,29 +79,28 @@ are prohibited. All export cipher suites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite using MD5 for the MAC is also prohibited. Note that signatures using SHA1 and MD5 are also forbidden at this level as they have less than 80 security -bits. +bits. Additionally, SSLv3, TLS 1.0, TLS 1.1 and DTLS 1.0 are all disabled at +this level. =item B<Level 2> Security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any cipher suite using RC4 is also -prohibited. SSL version 3 is also not allowed. Compression is disabled. +prohibited. Compression is disabled. =item B<Level 3> Security level set to 128 bits of security. As a result RSA, DSA and DH keys shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited. In addition to the level 2 exclusions cipher suites not offering forward -secrecy are prohibited. TLS versions below 1.1 are not permitted. Session -tickets are disabled. +secrecy are prohibited. Session tickets are disabled. =item B<Level 4> Security level set to 192 bits of security. As a result RSA, DSA and DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are -prohibited. Cipher suites using SHA1 for the MAC are prohibited. TLS -versions below 1.2 are not permitted. +prohibited. Cipher suites using SHA1 for the MAC are prohibited. =item B<Level 5> |