Tolerate weak certificates #97
Comments
|
Would it be possible to make this per-provider configurable? What is the OpenSSL default? It seems to depend on how OpenSSL was compiled... I'd recommend having a default of 2 or 3 and allow per-provider override... Does See also https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html |
About the override I don't really know. It seems that the level was raised with "recent versions", given that I find related pages dating 2018. Making it configurable is certainly possible. |
|
I saw the warning, but this is not "general internet use". Also, I don't know from which year this warning is as level 1 allows SHA1 and SSLv3 which should never be used any more. So level 2 is the baseline now for what is still considered secure, anything lower than 2 should be a concious choice... The other part of my question regarding option overrides is also (very) important. Did you test for this? I can't find it in that man page, but maybe I am missing it. Even better seems to be to always require level 2 and only list VPN providers that offer level 2 or higher, seems like a bad idea to make it easy for users to use insecure VPN providers... |
Servers using weak cryptography (e.g. PureVPN) may fail TLS handshake with error 204.
The text was updated successfully, but these errors were encountered: