More info via man SSL_CTX_get_security_level The default seems appropriate for now. Some people might want to tighten things up. We might need to set it per-client to allow a new system to use servers running on old systems. -- These are my opinions. I hate spam.