Yes it can be, quite trivially.
NB! This significantly decreases security & privacy and enables protocols and key sizes that are no longer deemed secure, and must not be used in production any more. Use at your own risk of getting hacked and all of your private data stolen.
--- /etc/ssl/openssl.cnf 2020-07-01 12:30:10.966775346 +0100
+++ /etc/ssl/openssl.cnf 2020-07-01 12:30:30.714978507 +0100
@@ -11,6 +11,8 @@
HOME = .
+openssl_conf = default_conf
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
@@ -349,3 +351,11 @@
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)
+ssl_conf = ssl_sect
+system_default = system_default_sect
+CipherString = DEFAULT@SECLEVEL=1
Note how the
openssl_conf stanza has to be at the very top of the file, without a section. And how
default_conf sections are appended at the end. This is a diff against stock
/etc/ssl/openssl.cnf which is the default system-wide config file which will be parsed by openssl.
However, you can also create that as a separate config file and use environmental variable
OPENSSL_CONF = /path/to/patched/seclevel1-openssl.cnf and use that in individual service units, daemons, apps. To allow things on per-app/per-user/per-daemon basis.
Note that it’s best to actually upgrade your clients & servers to support TLSv1.2.
Similarly for GnuTLS one can create
$ cat /etc/gnutls/config
default-priority-string = NORMAL
Or you use
Again, this significantly reduces security and increase risk of your data being stolen.
Normallly, the GnuTLS priority string is
Let me know if this helps, and if you have any issues do provide all the details, all the file paths, all the config files contents. It’s quite easy to make a typo, and things not working as expected.