openssl: Allow usage of insecure client certs
I have an application which has been distributed looooong ago. That application offers https interface to clients with client certificate authentication. By the time the application was released, providing 1024 bits key length certificates was probably OK. Albeit we always advertised customers to uupdate the default cert with their own PKI most of them are just using the default one, so I have thousands of instance running like this. Now I need to write a client (in python) to query that application. This client will run on more modern linux distros where libs and client apps are compiled against openssl 1.1.1a. As a result I always get the error bellow when trying to access the https interface using the weak default client cert: OpenSSL error:
140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
running the same code on older distros (with older openssl) or using application compiled against gnutls works ok.
A few questions:
- Am I right thinking this is a limitation introduced for security reason in openssl?
- If so, when was it introduced?
- Is there a way to disable this check? (preerably without recompiling client libs)
- Yes
- 1.1.1~~pre9-1 https://www.mail-archive.com/[email protected]/msg1625241.html
- On Debian /etc/ssl/openssl.cnf https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1
SECLEVEL 2 setting the security level to 112 bit
SECLEVEL 1 was the default in previous versions and is at the 80 bit