Recently, we have migrated to OpenSSL 3.2.1 from old 1.0.2 version. Earlier we're using the certificate with key size 2048 bits. Now, our application is not able to load those older certificates. So, my question is, are older certificates in OpenSSL v1.0.2 are incompatible with newer OpenSSL version 3.2.1, even if certificate key size is 2048 bits?
I regenerated the certificates and it is working. But I wish older certificates should work.
Self answering this question.
After some debugging, we found that the ciphers which were being sent using OpenSSL 1.0.* and even using OpenSSL 3.1.* are not being sent now when using OpenSSL 3.2.1 version.
Then I came across a new API SSL_CTX_set_ciphersuites() in addition to older API SSL_CTX_set_cipher_list(). OpenSSL 3.2.1 mandates that for any TLSv1.3 related or mixed cipher, you need to use SSL_CTX_set_ciphersuites() as well as SSL_CTX_set_cipher_list(). When used this approach, now all intended ciphers are being exchanged. Additionally, SSL_CTX_set_security_level() API can be used to set security level to 0 (zero) to make it backward compatible. Set secirity level to 1 in which case RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. Set security level to 2 in which case RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. More details can be found on openssl documentation.