Security Levels

OpenSSL supports the concept of security levels to specify groups of cipher suites and key strength behavior.

To check the different security levels on your system and the ciphers associated with them, at the command prompt, type: 

openssl ciphers -s -v ALL;@SECLEVEL=<n>

Where:

<n>
Can be 0 through 5.

Security increases with the security level. Items such as MD5 signatures and other weak items such as broken cipher suites and low security keys will be rejected at higher security levels.

Most new products default to security level 1, including but not limited to recent updates of Java, Chrome, and Firefox.

To preserve the behavior of existing installations the 5.0 release continues to support security level 0 as the default setting. This behavior is now deprecated and is provided for backward compatibility only.

Note: If you are setting your own cipher suite collections then they will inherit the new OpenSSL 1.1.1 security level 1 behavior unless you modify their cipher suite collection to enforce a security level of 0. You can do this by prefixing @SECLEVEL=0 to the cipher suite collection.
Attention: The default security level in the 6.0 release will be level 1.

Example Security Level 0

@SECLEVEL=0 kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM !3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP
This matches the default configuration.

Example Security Level 1

@SECLEVEL=1 kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM !3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP
Parent topic: Specifying a Server Protocol and Cipher Suite Preference