Thanks. I think it is a good idea to set Level 2. I would like to understand that if someone still has use case to support Level 0 or 1. Or can we change default to 2 directly?
Thank you Yao, Jiewen ________________________________ From: Li, Yi1 <yi1...@intel.com> Sent: Wednesday, September 3, 2025 11:18 AM To: devel@edk2.groups.io <devel@edk2.groups.io>; kanagav...@ami.com <kanagav...@ami.com> Cc: Kinney, Michael D <michael.d.kin...@intel.com>; gaoliming <gaolim...@byosoft.com.cn>; Yao, Jiewen <jiewen....@intel.com> Subject: Reminder for OpenSSL TLS security level changes Hi, We've received a request to increase TLS security level from 0 to 2. https://github.com/tianocore/edk2/pull/11331 Level 0 Everything is permitted. This retains compatibility with previous versions of OpenSSL. Level 1 The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. Any cipher suite using MD5 for the MAC is also prohibited. Any cipher suites using CCM with a 64 bit authentication tag are prohibited. Note that signatures using SHA1 and MD5 are also forbidden at this level as they have less than 80 security bits. Additionally, SSLv3, TLS 1.0, TLS 1.1 and DTLS 1.0 are all disabled at this level. Level 2 Security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any cipher suite using RC4 is also prohibited. Compression is disabled. Disabling these generally not-recommended features is a good change to me, but considering this may break some users and cause surprise, I'd like to seek community feedback. If there are no objections, I'll approve it in a week. Thanks, Yi -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#121583): https://edk2.groups.io/g/devel/message/121583 Mute This Topic: https://groups.io/mt/115039926/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
