Security Levels

OpenSSL supports the concept of security levels to specify groups of cipher suites and key strength behavior.

To check the different security levels on your system and the ciphers associated with them, at the command prompt, type:

openssl ciphers -s -v ALL;@SECLEVEL=<n>


Can be 0 through 5.

Security increases with the security level. Items such as MD5 signatures and other weak items such as broken cipher suites and low security keys will be rejected at higher security levels.

Most new products default to security level 1, including but not limited to recent updates of Java, Chrome, and Firefox.

The default TLS security level starting with release 6.0 is 1. When using the default TLS security options, some very old clients that are restricted to the use of short RSA keys will no longer be able to connect. To preserve the behavior of such clients, you can change the security level to 0. This, however, is a deprecated behavior is only available for backward compatibility.

If you are setting your own cipher suite collections then they will inherit the new OpenSSL 1.1.1 security level 1 behavior unless you modify their cipher suite collection to enforce a security level of 0. You can do this by prefixing @SECLEVEL=0 to the cipher suite collection.

Example Security Level 0

This matches the default configuration.

Example Security Level 1