Oleksandr Byelkin added a comment - 2019-10-11 13:11 georg , check is you can say something about it, if no reassign it to me please

Georg Richter added a comment - 2019-12-14 07:51 - edited TLSv1.0 and TLSv1.1 are deprecated in RHEL 8, unless crypto policy will be changed to legacy. # update-crypto-policies --set LEGACY It also looks like they were removed from core crypto libraries, otherwise the error would be "tlsv1 alert protocol version" See also: Security considerations in adopting RHEL8

Georg Richter added a comment - 2019-12-17 09:26 Patch attached

Sergei Golubchik added a comment - 2019-12-25 11:01 it's not LEGACY vs DEFAULT, it's sh-4.4$ grep MinP /etc/crypto-policies/back-ends/opensslcnf.config MinProtocol = TLSv1.2 A proper detection of supported protocols could be done like this: #!/bin/bash   openssl s_server -debug -cert std_data /server-cert .pem -key std_data /server-key .pem < /dev/zero > /dev/null 2>&1 & SERVER_PID=$!   for v in tls1 tls1_1 tls1_2 tls1_3; do if openssl s_client -$ v < /dev/null > /dev/null 2>&1; then echo $ v is supported else echo $ v is disabled fi done kill $SERVER_PID But this exact scrips works unreliably, it needs more work. Also it might be a tad too heavy to do it on every mtr run independently whether it'll run ssl tests or not.

Sergei Golubchik added a comment - 2019-12-25 11:26 stracing openssl s_server on RHEL8 shows that it reads /etc/pki/tls/openssl.cnf and /etc/crypto-policies/back-ends/opensslcnf.config

Georg Richter added a comment - 2019-12-26 14:22 Serg, how about checking the minimum supported version by a small c program which scans the configuration file(s)?! I attached a small example demo for it.