The LEGACY crypto-policy no longer works as documented as of OpenSSL 3.1. In order to have TLSv1.0 and TLSv1.1 work with OpenSSL 3.1 @SECLEVEL=0 is required.

I already had added the legacy provider to openssl.cnf when OpenSSL 3.0 replaced 1.1.1 in tumbleweed in order to keep OpenVPN working, so I cannot say for sure but I would not be the least bit surprised if that is also required for TLS < v1.2 to function in practice.

Also, prior to the transition to OpenSSL 3.1, the DEFAULT crypto-policy did not enforce the documented requirement of TLS >= v1.2. It was only with the transition from OpenSSL 3.0 to 3.1 that I switched my system's crypto-policy from DEFAULT to LEGACY to no avail in an attempt to unbreak the connection to a POP3S server which only supports TLSv1.0.

Pedro Monreal Gonzalez (pmonrealgonzalez) - 8 months ago

maintainer

Thanks for your comments! Could you open a bug report in bugzilla.opensuse.org with as much information as possible and the steps to reproduce. TIA.