For anyone who finds this bug, and wonders about the "Users can override this behaviour with a config file" part, here's what I did to get an OpenSSL-using application to talk to an old server that only supported TLSv1 (in my case, an old Mumble server):
1. create an "openssl.cnf" file somewhere with the following contents:
2. set the OPENSSL_CONF environment variable to this file's path when running the application.
I wouldn't recommend making the change to the global /etc/ssl/openssl.cnf, or setting $OPENSSL_CONF for situations where it isn't needed, since this does reduce the default security.
For anyone who finds this bug, and wonders about the "Users can override this behaviour with a config file" part, here's what I did to get an OpenSSL-using application to talk to an old server that only supported TLSv1 (in my case, an old Mumble server):
1. create an "openssl.cnf" file somewhere with the following contents:
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_ default_ sect]
CipherString = DEFAULT@SECLEVEL=1
2. set the OPENSSL_CONF environment variable to this file's path when running the application.
I wouldn't recommend making the change to the global /etc/ssl/ openssl. cnf, or setting $OPENSSL_CONF for situations where it isn't needed, since this does reduce the default security.