fedora crypto-policies: initial support.

2024-12-18 16:56:36 -06:00
parent afff48f0d6
commit b5c47d27e0
15 changed files with 1642 additions and 146 deletions
--- a/configure.ac
+++ b/configure.ac
@ -8993,6 +8993,25 @@ AC_ARG_WITH([libsuffix],
 )
 AC_SUBST(LIBSUFFIX)
 # Support system wide crypto-policy file:
 #   - Pass path to your wolfssl.config system crypto-policy file.
 #   - Pass no argument to use default.
 AC_ARG_WITH([sys-crypto-policy],
    [AS_HELP_STRING([--with-sys-crypto-policy=PATH],[Support for system-wide crypto-policy file. (default: disabled)])],
    [ SYS_CRYPTO_POLICY=$withval],
    [ SYS_CRYPTO_POLICY=no ]
    )
 if test "$SYS_CRYPTO_POLICY" != "no"; then
    if test "$SYS_CRYPTO_POLICY" = "yes"; then
        # Default to the wolfssl fedora crypto-policy file.
        SYS_CRYPTO_POLICY="/etc/crypto-policies/back-ends/wolfssl.config"
    fi
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SYS_CRYPTO_POLICY"
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CRYPTO_POLICY_FILE=\"$SYS_CRYPTO_POLICY\""
 fi
 AC_ARG_ENABLE([context-extra-user-data],
    [AS_HELP_STRING([--enable-context-extra-user-data],[Enables option for storing user-defined data in TLS API contexts, with optional argument the number of slots to allocate (default: disabled)])],
    [ ENABLED_EX_DATA=$enableval ],
--- a/examples/client/client.c
+++ b/examples/client/client.c
@ -1168,7 +1168,7 @@ static int ClientWriteRead(WOLFSSL* ssl, const char* msg, int msgSz,
 /*  4. add the same message into Japanese section         */
 /*     (will be translated later)                         */
 /*  5. add printf() into suitable position of Usage()     */
-static const char* client_usage_msg[][77] = {
+static const char* client_usage_msg[][78] = {
    /* English */
    {
        " NOTE: All files relative to wolfSSL home dir\n",          /* 0 */
@ -1404,9 +1404,12 @@ static const char* client_usage_msg[][77] = {
        "--rpk  Use RPK for the defined certificates\n", /* 74 */
 #endif
        "--files-are-der Specified files are in DER, not PEM format\n", /* 75 */
 #ifdef WOLFSSL_SYS_CRYPTO_POLICY
        "--crypto-policy  <path to crypto policy file>\n", /* 76 */
 #endif
        "\n"
           "For simpler wolfSSL TLS client examples, visit\n"
-           "https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n", /* 76 */
+           "https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n", /* 77 */
        NULL,
    },
 #ifndef NO_MULTIBYTE_PRINT
@ -1649,10 +1652,13 @@ static const char* client_usage_msg[][77] = {
        "--rpk  Use RPK for the defined certificates\n", /* 74 */
 #endif
        "--files-are-der Specified files are in DER, not PEM format\n", /* 75 */
 #ifdef WOLFSSL_SYS_CRYPTO_POLICY
        "--crypto-policy  <path to crypto policy file>\n", /* 76 */
 #endif
        "\n"
        "より簡単なwolfSSL TLS クライアントの例については"
                                         "下記にアクセスしてください\n"
-        "https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n", /* 76 */
+        "https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n", /* 77 */
        NULL,
    },
 #endif
@ -2069,6 +2075,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
        { "rpk", 0, 267 },
 #endif /* HAVE_RPK */
        { "files-are-der", 0, 268 },
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
        { "crypto-policy", 1, 269 },
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
        { 0, 0, 0 }
    };
 #endif
@ -2213,6 +2222,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
    int useRPK = 0;
 #endif /* HAVE_RPK */
    int fileFormat = WOLFSSL_FILETYPE_PEM;
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    const char * policy = NULL;
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    char buffer[WOLFSSL_MAX_ERROR_SZ];
@ -2932,6 +2945,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
            case 268:
                fileFormat = WOLFSSL_FILETYPE_ASN1;
                break;
            case 269:
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
                policy = myoptarg;
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
                break;
            default:
                Usage();
                XEXIT_T(MY_EX_USAGE);
@ -3159,6 +3178,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
    if (method == NULL)
        err_sys("unable to get method");
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    if (policy != NULL) {
        if (wolfSSL_crypto_policy_enable(policy) != WOLFSSL_SUCCESS) {
            err_sys("wolfSSL_crypto_policy_enable failed");
        }
    }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 #ifdef WOLFSSL_STATIC_MEMORY
    #if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_STATIC_MEMORY_LEAN)
@ -4821,7 +4847,6 @@ exit:
    {
        func_args args;
        StartTCP();
 #if defined(WOLFSSL_SRTP) && defined(WOLFSSL_COND)
--- a/examples/crypto_policies/default/wolfssl.txt
+++ b/examples/crypto_policies/default/wolfssl.txt
@ -0,0 +1 @@
@SECLEVEL=2:EECDH:kRSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!RC4:!eNULL:!aNULL
--- a/examples/crypto_policies/future/wolfssl.txt
+++ b/examples/crypto_policies/future/wolfssl.txt
@ -0,0 +1 @@
@SECLEVEL=3:EECDH:EDH:PSK:DHEPSK:ECDHEPSK:!RSAPSK:!kRSA:!AES128:!RC4:!eNULL:!aNULL:!SHA1
--- a/examples/crypto_policies/legacy/wolfssl.txt
+++ b/examples/crypto_policies/legacy/wolfssl.txt
@ -0,0 +1 @@
@SECLEVEL=1:EECDH:kRSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!eNULL:!aNULL
--- a/examples/server/server.c
+++ b/examples/server/server.c
@ -873,7 +873,7 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
 /*  4. add the same message into Japanese section         */
 /*     (will be translated later)                         */
 /*  5. add printf() into suitable position of Usage()     */
-static const char* server_usage_msg[][65] = {
+static const char* server_usage_msg[][66] = {
    /* English */
    {
        " NOTE: All files relative to wolfSSL home dir\n",               /* 0 */
@ -1056,11 +1056,14 @@ static const char* server_usage_msg[][65] = {
 #ifdef WOLFSSL_DUAL_ALG_CERTS
        "--altPrivKey <file> Generate alternative signature with this key.\n",
                                                                        /* 65 */
 #endif
 #ifdef WOLFSSL_SYS_CRYPTO_POLICY
        "--crypto-policy  <path to crypto policy file>\n", /* 66 */
 #endif
        "\n"
           "For simpler wolfSSL TLS server examples, visit\n"
           "https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n",
-                                                                        /* 66 */
+                                                                        /* 67 */
        NULL,
    },
 #ifndef NO_MULTIBYTE_PRINT
@ -1261,12 +1264,15 @@ static const char* server_usage_msg[][65] = {
 #ifdef WOLFSSL_DUAL_ALG_CERTS
        "--altPrivKey <file> Generate alternative signature with this key.\n",
                                                                        /* 65 */
 #endif
 #ifdef WOLFSSL_SYS_CRYPTO_POLICY
        "--crypto-policy  <path to crypto policy file>\n", /* 66 */
 #endif
        "\n"
        "より簡単なwolfSSL TSL クライアントの例については"
                                          "下記にアクセスしてください\n"
        "https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n",
-                                                                        /* 66 */
+                                                                        /* 67 */
        NULL,
    },
 #endif
@ -1545,6 +1551,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 #ifdef WOLFSSL_DUAL_ALG_CERTS
        { "altPrivKey", 1, 267},
 #endif
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
        { "crypto-policy", 1, 268 },
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
        { 0, 0, 0 }
    };
 #endif
@ -1669,6 +1678,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 #if defined(HAVE_CRL) && !defined(NO_FILESYSTEM)
    char* crlDir = NULL;
 #endif
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    const char * policy = NULL;
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 #ifdef WOLFSSL_STATIC_MEMORY
    /* Note: Actual memory used is much less, this is the entire buffer buckets,
@ -2438,6 +2450,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
            altPrivKey = myoptarg;
            break;
 #endif
            case 268:
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
                policy = myoptarg;
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
                break;
        case -1:
            default:
@ -2592,6 +2609,14 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
    if (method == NULL)
        err_sys_ex(runWithErrors, "unable to get method");
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    if (policy != NULL) {
        if (wolfSSL_crypto_policy_enable(policy) != WOLFSSL_SUCCESS) {
            err_sys("wolfSSL_crypto_policy_enable failed");
        }
    }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 #ifdef WOLFSSL_STATIC_MEMORY
    #if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_STATIC_MEMORY_LEAN)
    /* print off helper buffer sizes for use with static memory
--- a/src/internal.c
+++ b/src/internal.c
@ -2264,6 +2264,225 @@ int InitSSL_Side(WOLFSSL* ssl, word16 side)
 }
 #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
 /* Check the wolfssl method meets minimum requirements for
 * the given security level.
 *
 * Returns  0 if method meets security level.
 * Returns  CRYPTO_POLICY_FORBIDDEN otherwise.
 * */
 static int wolfSSL_crypto_policy_method_allowed(WOLFSSL_METHOD * method,
                                                int level)
 {
    if (level == 0) {
        /* permissive, no restrictions. */
        return 0;
    }
    #ifdef WOLFSSL_DTLS
    if (method->version.major == DTLS_MAJOR) {
        if (method->version.minor == DTLS_MINOR) {
            /* sec level must be 1 or lower. */
            if (level > 1) {
                return CRYPTO_POLICY_FORBIDDEN;
            }
        }
    }
    else
    #endif /* WOLFSSL_DTLS */
    {
        if (method->version.minor == SSLv3_MINOR) {
            /* sec level must be 0. */
            if (level > 0) {
                return CRYPTO_POLICY_FORBIDDEN;
            }
        }
        else if (method->version.minor == TLSv1_MINOR ||
                 method->version.minor == TLSv1_1_MINOR) {
            /* sec level must be 1 or lower. */
            if (level > 1) {
                return CRYPTO_POLICY_FORBIDDEN;
            }
        }
    }
    /* nothing else to check, all other combinations ok. */
    return 0;
 }
 /* Configure the CTX to conform to the security policy.
 *
 * Also, check the WOLFSSL_METHOD against the supplied security
 * level.
 *
 * Returns  CRYPTO_POLICY_FORBIDDEN if not allowed per policy.
 * Returns  BAD_FUNC_ARG on null args.
 * Returns  0 if ok.
 * */
 int wolfSSL_crypto_policy_init_ctx(WOLFSSL_CTX * ctx,
                                   WOLFSSL_METHOD * method)
 {
    byte         minDowngrade = 0x00;
    #ifdef WOLFSSL_DTLS
    int          dtls = 0;
    #endif /* WOLFSSL_DTLS */
    int          level = 0;
    #if !defined(NO_DH) || !defined(NO_RSA)
    word16       minKeySz = 0; /* minimum DH or RSA key size */
    #endif /* !NO_DH || !NO_RSA*/
    #ifdef HAVE_ECC
    short        minEccKeySz = 0; /* minimum allowed ECC key size */
    #endif /* HAVE_ECC */
    if (ctx == NULL || method == NULL) {
        return BAD_FUNC_ARG;
    }
    #ifdef WOLFSSL_DTLS
    dtls = (method->version.major == DTLS_MAJOR);
    #endif /* WOLFSSL_DTLS */
    /* get the crypto policy security level. */
    level = wolfSSL_crypto_policy_get_level();
    if (level < 0 || level > 5) {
        WOLFSSL_MSG_EX("crypto_policy_init_ctx: invalid level: %d", level);
        return BAD_FUNC_ARG;
    }
    /* Check requested method per security level. */
    if (wolfSSL_crypto_policy_method_allowed(method, level) != 0) {
        WOLFSSL_MSG_EX("crypto_policy_init_ctx: "
                       "method=%d, SECLEVEL=%d combination not allowed",
                       method->version.minor, level);
        return CRYPTO_POLICY_FORBIDDEN;
    }
    /* Set appropriate min downgrade per security level. */
    #ifdef WOLFSSL_DTLS
    if (dtls) {
        switch (level) {
        case 1:
            minDowngrade = DTLS_MINOR;
            break;
        case 2:
        case 3:
        case 4:
        case 5:
            minDowngrade = DTLSv1_2_MINOR;
            break;
        case 0:
        default:
            /* Permissive, no restrictions. Allow defaults. */
            minDowngrade = WOLFSSL_MIN_DTLS_DOWNGRADE;
            break;
        }
    }
    else
    #endif /* WOLFSSL_DTLS */
    {
        switch (level) {
        case 1:
            /* prohibit SSLv3 and lower. */
            minDowngrade = TLSv1_MINOR;
            break;
        case 2:
        case 3:
        case 4:
        case 5:
            /* prohibit TLSv1_1 and lower. */
            minDowngrade = TLSv1_2_MINOR;
            break;
        case 0:
        default:
            ctx->minDowngrade = WOLFSSL_MIN_DOWNGRADE;
            break;
        }
    }
    /* Set min RSA and DH key size. */
    #if !defined(NO_DH) || !defined(NO_RSA)
    switch (level) {
    case 1:
        minKeySz = 128; /* 1024 bits / 8 */
        break;
    case 2:
        minKeySz = 256; /* 2048 bits / 8 */
        break;
    case 3:
        minKeySz = 384; /* 3072 bits / 8 */
        break;
    case 4:
        minKeySz = 960; /* 7680 bits / 8 */
        break;
    case 5:
        minKeySz = 1920; /* 15360 bits / 8 */
        break;
    case 0:
    default:
        break;
    }
    #endif /* !NO_DH || !NO_RSA*/
    /* Set min ECC key size. */
    #ifdef HAVE_ECC
    switch (level) {
    case 1:
        minEccKeySz = 20; /* 160 bits / 8 */
        break;
    case 2:
        minEccKeySz = 28; /* 224 bits / 8 */
        break;
    case 3:
        minEccKeySz = 32; /* 256 bits / 8 */
        break;
    case 4:
        minEccKeySz = 48; /* 384 bits / 8 */
        break;
    case 5:
        minEccKeySz = 64; /* 512 bits / 8 */
        break;
    default:
    case 0:
        break;
    }
    #endif /* HAVE_ECC */
    /* Finally set the ctx values. */
    ctx->minDowngrade = minDowngrade;
    ctx->secLevel = level;
    ctx->method = method;
    #if !defined(NO_DH) || !defined(NO_RSA)
    if (minKeySz > 0) {
        #ifndef NO_DH
        if (minKeySz > MAX_DHKEY_SZ) {
            WOLFSSL_MSG_EX("crypto_policy_init_ctx: minKeySz=%d, "
                           "but MAX_DHKEY_SZ=%d",
                           minKeySz, MAX_DHKEY_SZ);
            return CRYPTO_POLICY_FORBIDDEN;
        }
        ctx->minDhKeySz  = minKeySz;
        ctx->maxDhKeySz  = MAX_DHKEY_SZ;
        #endif /* NO_DH */
        #ifndef NO_RSA
        ctx->minRsaKeySz = minKeySz;
        #endif /* NO_RSA */
    }
    #endif /* !NO_DH || !NO_RSA*/
    #ifdef HAVE_ECC
    if (minEccKeySz > 0) {
        ctx->minEccKeySz  = minEccKeySz;
    }
    #endif /* HAVE_ECC */
    return 0;
 }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 /* Initialize SSL context, return 0 on success */
 int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
 {
@ -2317,6 +2536,7 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
 #ifndef NO_RSA
    ctx->minRsaKeySz = MIN_RSAKEY_SZ;
 #endif
 #ifdef HAVE_ECC
    ctx->minEccKeySz  = MIN_ECCKEY_SZ;
    ctx->eccTempKeySz = ECDHE_SIZE;
@ -2541,6 +2761,14 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
    ctx->doAppleNativeCertValidationFlag = 0;
 #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    ret = wolfSSL_crypto_policy_init_ctx(ctx, method);
    if (ret != 0) {
        WOLFSSL_MSG_EX("crypto_policy_init_ctx returned %d", ret);
        return ret;
    }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    return ret;
 }
@ -3220,8 +3448,8 @@ int AllocateSuites(WOLFSSL* ssl)
 void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
                word16 havePSK, word16 haveDH, word16 haveECDSAsig,
                word16 haveECC, word16 haveStaticRSA, word16 haveStaticECC,
-                word16 haveFalconSig, word16 haveDilithiumSig, word16 haveAnon,
+                word16 haveAnon, word16 haveNull, word16 haveAES128,
-                word16 haveNull, int side)
+                word16 haveSHA1, word16 haveRC4, int side)
 {
    word16 idx = 0;
    int    tls    = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR;
@ -3257,8 +3485,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
    (void)haveRSAsig; /* non ecc builds won't read */
    (void)haveAnon;   /* anon ciphers optional */
    (void)haveNull;
-    (void)haveFalconSig;
+    (void)haveAES128;
-    (void)haveDilithiumSig;
+    (void)haveSHA1;
    (void)haveRC4;
    if (suites == NULL) {
        WOLFSSL_MSG("InitSuites pointer error");
@ -3277,7 +3506,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_AES_128_GCM_SHA256
-    if (tls1_3) {
+    if (tls1_3 && haveAES128) {
        suites->suites[idx++] = TLS13_BYTE;
        suites->suites[idx++] = TLS_AES_128_GCM_SHA256;
    }
@ -3291,14 +3520,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_AES_128_CCM_SHA256
-    if (tls1_3) {
+    if (tls1_3 && haveAES128) {
        suites->suites[idx++] = TLS13_BYTE;
        suites->suites[idx++] = TLS_AES_128_CCM_SHA256;
    }
 #endif
 #ifdef BUILD_TLS_AES_128_CCM_8_SHA256
-    if (tls1_3) {
+    if (tls1_3 && haveAES128) {
        suites->suites[idx++] = TLS13_BYTE;
        suites->suites[idx++] = TLS_AES_128_CCM_8_SHA256;
    }
@ -3365,7 +3594,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-    if (tls1_2 && haveECC) {
+    if (tls1_2 && haveECC && haveAES128) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
    }
@ -3385,9 +3614,10 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    #ifdef OPENSSL_EXTRA
-    if ((tls1_2 && haveRSA) || (tls1_2 && haveECDSAsig)) {
+    if ((tls1_2 && haveRSA && haveAES128) ||
        (tls1_2 && haveECDSAsig && haveAES128)) {
    #else
-    if (tls1_2 && haveRSA) {
+    if (tls1_2 && haveRSA && haveAES128) {
    #endif
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
@ -3402,7 +3632,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
-    if (tls1_2 && haveDH && haveRSA) {
+    if (tls1_2 && haveDH && haveRSA && haveAES128) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256;
    }
@ -3416,7 +3646,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
-    if (tls1_2 && haveRSA && haveStaticRSA) {
+    if (tls1_2 && haveRSA && haveStaticRSA && haveAES128) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_RSA_WITH_AES_128_GCM_SHA256;
    }
@ -3430,7 +3660,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
-    if (tls1_2 && haveECC && haveStaticECC) {
+    if (tls1_2 && haveECC && haveStaticECC && haveAES128) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256;
    }
@ -3444,7 +3674,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
-    if (tls1_2 && haveRSAsig && haveStaticECC) {
+    if (tls1_2 && haveRSAsig && haveStaticECC && haveAES128) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256;
    }
@ -3458,7 +3688,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
-    if (tls1_2 && haveECC) {
+    if (tls1_2 && haveECC && haveAES128) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256;
    }
@ -3472,7 +3702,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA
-    if (tls1_2 && haveDH && haveAnon) {
+    if (tls1_2 && haveDH && haveAnon && haveAES128 && haveSHA1) {
      suites->suites[idx++] = CIPHER_BYTE;
      suites->suites[idx++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
    }
@ -3486,7 +3716,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
-    if (tls1_2 && haveDH && havePSK) {
+    if (tls1_2 && haveDH && havePSK && haveAES128) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_GCM_SHA256;
    }
@ -3500,7 +3730,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256
-    if (tls1_2 && havePSK) {
+    if (tls1_2 && havePSK && haveAES128) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_PSK_WITH_AES_128_GCM_SHA256;
    }
@ -3534,7 +3764,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 /* Place as higher priority for MYSQL */
 #if defined(WOLFSSL_MYSQL_COMPATIBLE)
 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
-    if (tls && haveDH && haveRSA) {
+    if (tls && haveDH && haveRSA && haveSHA1) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
    }
@ -3543,9 +3773,10 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    #ifdef OPENSSL_EXTRA
-    if ((tls1_2 && haveRSA) || (tls1_2 && haveECDSAsig)) {
+    if ((tls1_2 && haveRSA && haveAES128) ||
        (tls1_2 && haveECDSAsig && haveAES128)) {
    #else
-    if (tls1_2 && haveRSA) {
+    if (tls1_2 && haveRSA && haveAES128) {
    #endif
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256;
@ -3553,21 +3784,21 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-    if (tls1_2 && haveECC) {
+    if (tls1_2 && haveECC && haveAES128) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256;
    }
 #endif
 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
-    if (tls1_2 && haveRSAsig && haveStaticECC) {
+    if (tls1_2 && haveRSAsig && haveStaticECC && haveAES128) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256;
    }
 #endif
 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
-    if (tls1_2 && haveECC && haveStaticECC) {
+    if (tls1_2 && haveECC && haveStaticECC && haveAES128) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256;
    }
@ -3606,56 +3837,56 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-    if (tls && haveECC) {
+    if (tls && haveECC && haveSHA1) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA;
    }
 #endif
 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
-    if (tls && haveECC && haveStaticECC) {
+    if (tls && haveECC && haveStaticECC && haveSHA1) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA;
    }
 #endif
 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-    if (tls && haveECC) {
+    if (tls && haveECC && haveAES128 && haveSHA1) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA;
    }
 #endif
 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
-    if (tls && haveECC && haveStaticECC) {
+    if (tls && haveECC && haveStaticECC && haveAES128 && haveSHA1) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA;
    }
 #endif
 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
-    if (!dtls && tls && haveECC) {
+    if (!dtls && tls && haveECC && haveSHA1 && haveRC4) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA;
    }
 #endif
 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
-    if (!dtls && tls && haveECC && haveStaticECC) {
+    if (!dtls && tls && haveECC && haveStaticECC && haveSHA1 && haveRC4) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA;
    }
 #endif
 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
-    if (tls && haveECC) {
+    if (tls && haveECC && haveSHA1) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA;
    }
 #endif
 #ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
-    if (tls && haveECC && haveStaticECC) {
+    if (tls && haveECC && haveStaticECC && haveSHA1) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA;
    }
@ -3663,9 +3894,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    #ifdef OPENSSL_EXTRA
-    if ((tls && haveRSA) || (tls && haveECDSAsig)) {
+    if ((tls && haveRSA && haveSHA1) || (tls && haveECDSAsig && haveSHA1)) {
    #else
-    if (tls && haveRSA) {
+    if (tls && haveRSA && haveSHA1) {
    #endif
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA;
@ -3673,7 +3904,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
-    if (tls && haveRSAsig && haveStaticECC) {
+    if (tls && haveRSAsig && haveStaticECC && haveSHA1) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA;
    }
@ -3681,9 +3912,10 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    #ifdef OPENSSL_EXTRA
-    if ((tls && haveRSA) || (tls && haveECDSAsig)) {
+    if ((tls && haveRSA && haveAES128 && haveSHA1) ||
        (tls && haveECDSAsig && haveAES128 && haveSHA1)) {
    #else
-    if (tls && haveRSA) {
+    if (tls && haveRSA && haveAES128 && haveSHA1) {
    #endif
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;
@ -3691,21 +3923,21 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
-    if (tls && haveRSAsig && haveStaticECC) {
+    if (tls && haveRSAsig && haveStaticECC && haveAES128 && haveSHA1) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA;
    }
 #endif
 #ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
-    if (!dtls && tls && haveRSA) {
+    if (!dtls && tls && haveRSA && haveSHA1 && haveRC4) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_RC4_128_SHA;
    }
 #endif
 #ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
-    if (!dtls && tls && haveRSAsig && haveStaticECC) {
+    if (!dtls && tls && haveRSAsig && haveStaticECC && haveSHA1 && haveRC4) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDH_RSA_WITH_RC4_128_SHA;
    }
@ -3713,9 +3945,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    #ifdef OPENSSL_EXTRA
-    if ((tls && haveRSA) || (tls && haveECDSAsig)) {
+    if ((tls && haveRSA && haveSHA1) || (tls && haveECDSAsig && haveSHA1)) {
    #else
-    if (tls && haveRSA) {
+    if (tls && haveRSA && haveSHA1) {
    #endif
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA;
@ -3723,21 +3955,21 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
-    if (tls && haveRSAsig && haveStaticECC) {
+    if (tls && haveRSAsig && haveStaticECC && haveSHA1) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA;
    }
 #endif
 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM
-    if (tls1_2 && haveECC) {
+    if (tls1_2 && haveECC && haveAES128) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM;
    }
 #endif
 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
-    if (tls1_2 && haveECC) {
+    if (tls1_2 && haveECC && haveAES128) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
    }
@ -3751,7 +3983,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8
-    if (tls1_2 && haveRSA && haveStaticRSA) {
+    if (tls1_2 && haveRSA && haveStaticRSA && haveAES128) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_RSA_WITH_AES_128_CCM_8;
    }
@ -3778,9 +4010,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
-    if (tls1_2 && haveDH && haveRSA)
+    if (tls1_2 && haveDH && haveRSA && haveAES128)
 #else
-    if (tls && haveDH && haveRSA)
+    if (tls && haveDH && haveRSA && haveAES128)
 #endif
    {
        suites->suites[idx++] = CIPHER_BYTE;
@ -3791,7 +4023,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 /* Place as higher priority for MYSQL testing */
 #if !defined(WOLFSSL_MYSQL_COMPATIBLE)
 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
-    if (tls && haveDH && haveRSA) {
+    if (tls && haveDH && haveRSA && haveSHA1) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
    }
@ -3799,14 +4031,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
-    if (tls && haveDH && haveRSA) {
+    if (tls && haveDH && haveRSA && haveAES128 && haveSHA1) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
    }
 #endif
 #ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
-    if (tls && haveDH && haveRSA) {
+    if (tls && haveDH && haveRSA && haveSHA1) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA;
    }
@ -3826,9 +4058,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
 #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
-    if (tls1_2 && haveRSA && haveStaticRSA)
+    if (tls1_2 && haveRSA && haveStaticRSA && haveAES128)
 #else
-    if (tls && haveRSA && haveStaticRSA)
+    if (tls && haveRSA && haveStaticRSA && haveAES128)
 #endif
    {
        suites->suites[idx++] = CIPHER_BYTE;
@ -3837,14 +4069,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
-    if (tls && haveRSA && haveStaticRSA) {
+    if (tls && haveRSA && haveStaticRSA && haveSHA1) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA;
    }
 #endif
 #ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
-    if (tls && haveRSA && haveStaticRSA) {
+    if (tls && haveRSA && haveStaticRSA && haveAES128 && haveSHA1) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA;
    }
@ -3881,7 +4113,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA
-    if (tls && haveECC && haveNull) {
+    if (tls && haveECC && haveNull && haveSHA1) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_NULL_SHA;
    }
@ -3895,7 +4127,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_RSA_WITH_NULL_SHA
-    if (tls && haveRSA && haveNull && haveStaticRSA) {
+    if (tls && haveRSA && haveNull && haveStaticRSA && haveSHA1) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA;
    }
@ -3914,7 +4146,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
-    if (tls && havePSK) {
+    if (tls && havePSK && haveSHA1) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_PSK_WITH_AES_256_CBC_SHA;
    }
@ -3946,9 +4178,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
 #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
-    if (tls1_2 && haveDH && havePSK)
+    if (tls1_2 && haveDH && havePSK && haveAES128)
 #else
-    if (tls && haveDH && havePSK)
+    if (tls && haveDH && havePSK && haveAES128)
 #endif
    {
        suites->suites[idx++] = CIPHER_BYTE;
@ -3958,9 +4190,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
 #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
-    if (tls1_2 && havePSK)
+    if (tls1_2 && havePSK && haveAES128)
 #else
-    if (tls1 && havePSK)
+    if (tls1 && havePSK && haveAES128)
 #endif
    {
        suites->suites[idx++] = CIPHER_BYTE;
@ -3969,14 +4201,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
-    if (tls && havePSK) {
+    if (tls && havePSK && haveAES128 && haveSHA1) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_PSK_WITH_AES_128_CBC_SHA;
    }
 #endif
 #ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM
-    if (tls && haveDH && havePSK) {
+    if (tls && haveDH && havePSK && haveAES128) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_CCM;
    }
@ -4027,9 +4259,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
 #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
-    if (tls1_2 && havePSK)
+    if (tls1_2 && havePSK && haveAES128)
 #else
-    if (tls && havePSK)
+    if (tls && havePSK && haveAES128)
 #endif
    {
        suites->suites[idx++] = ECC_BYTE;
@ -4039,9 +4271,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
 #ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
-    if (tls1_2 && havePSK)
+    if (tls1_2 && havePSK && haveAES128)
 #else
-    if (tls && havePSK)
+    if (tls && havePSK && haveAES128)
 #endif
    {
        suites->suites[idx++] = ECDHE_PSK_BYTE;
@ -4050,7 +4282,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM
-    if (tls && havePSK) {
+    if (tls && havePSK && haveAES128) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_PSK_WITH_AES_128_CCM;
    }
@ -4064,7 +4296,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8
-    if (tls && havePSK) {
+    if (tls && havePSK && haveAES128) {
        suites->suites[idx++] = ECC_BYTE;
        suites->suites[idx++] = TLS_PSK_WITH_AES_128_CCM_8;
    }
@ -4145,49 +4377,49 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
 #endif
 #ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
-    if (!dtls && haveRSA && haveStaticRSA) {
+    if (!dtls && haveRSA && haveStaticRSA && haveSHA1 && haveRC4) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = SSL_RSA_WITH_RC4_128_SHA;
    }
 #endif
 #ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
-    if (!dtls && haveRSA && haveStaticRSA) {
+    if (!dtls && haveRSA && haveStaticRSA && haveRC4) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = SSL_RSA_WITH_RC4_128_MD5;
    }
 #endif
 #ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
-    if (haveRSA && haveStaticRSA) {
+    if (haveRSA && haveStaticRSA && haveSHA1) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
    }
 #endif
 #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
-    if (tls && haveRSA && haveStaticRSA) {
+    if (tls && haveRSA && haveStaticRSA && haveSHA1) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_128_CBC_SHA;
    }
 #endif
 #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
-    if (tls && haveDH && haveRSA && haveStaticRSA) {
+    if (tls && haveDH && haveRSA && haveStaticRSA && haveSHA1) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA;
    }
 #endif
 #ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
-    if (tls && haveRSA && haveStaticRSA) {
+    if (tls && haveRSA && haveStaticRSA && haveSHA1) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_256_CBC_SHA;
    }
 #endif
 #ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
-    if (tls && haveDH && haveRSA && haveStaticRSA) {
+    if (tls && haveDH && haveRSA && haveStaticRSA && haveSHA1) {
        suites->suites[idx++] = CIPHER_BYTE;
        suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA;
    }
@ -4284,8 +4516,6 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
    (void)haveRSAsig; /* non ecc builds won't read */
    (void)haveAnon;   /* anon ciphers optional */
    (void)haveNull;
    (void)haveFalconSig;
    (void)haveDilithiumSig;
 }
 #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS) || \
@ -6393,19 +6623,19 @@ int wolfSSL_CTX_IsPrivatePkSet(WOLFSSL_CTX* ctx)
 static void InitSuites_EitherSide(Suites* suites, ProtocolVersion pv, int keySz,
        word16 haveRSA, word16 havePSK, word16 haveDH, word16 haveECDSAsig,
        word16 haveECC, word16 haveStaticECC,
-        word16 haveFalconSig, word16 haveDilithiumSig, word16 haveAnon,
+        word16 haveAnon,
        int side)
 {
    /* make sure server has DH params, and add PSK if there */
    if (side == WOLFSSL_SERVER_END) {
        InitSuites(suites, pv, keySz, haveRSA, havePSK, haveDH, haveECDSAsig,
-                   haveECC, TRUE, haveStaticECC, haveFalconSig,
+                   haveECC, TRUE, haveStaticECC,
-                   haveDilithiumSig, haveAnon, TRUE, side);
+                   haveAnon, TRUE, TRUE, TRUE, TRUE, side);
    }
    else {
        InitSuites(suites, pv, keySz, haveRSA, havePSK, TRUE, haveECDSAsig,
-                   haveECC, TRUE, haveStaticECC, haveFalconSig,
+                   haveECC, TRUE, haveStaticECC,
-                   haveDilithiumSig, haveAnon, TRUE, side);
+                   haveAnon, TRUE, TRUE, TRUE, TRUE, side);
    }
 }
@ -6429,7 +6659,7 @@ void InitSSL_CTX_Suites(WOLFSSL_CTX* ctx)
 #endif
    InitSuites_EitherSide(ctx->suites, ctx->method->version, keySz,
            haveRSA, havePSK, ctx->haveDH, ctx->haveECDSAsig, ctx->haveECC,
-            ctx->haveStaticECC, ctx->haveFalconSig, ctx->haveDilithiumSig,
+            ctx->haveStaticECC,
            haveAnon, ctx->method->side);
 }
@ -6484,7 +6714,6 @@ int InitSSL_Suites(WOLFSSL* ssl)
        InitSuites_EitherSide(ssl->suites, ssl->version, keySz, haveRSA,
                havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig,
                ssl->options.haveECC, ssl->options.haveStaticECC,
                ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
                ssl->options.useAnon, ssl->options.side);
    }
@ -7725,6 +7954,9 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
    ssl->response_idx = 0;
 #endif
 #endif
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    ssl->secLevel = ctx->secLevel;
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    /* Returns 0 on success, not WOLFSSL_SUCCESS (1) */
    WOLFSSL_MSG_EX("InitSSL done. return 0 (success)");
    return 0;
@ -25886,6 +26118,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
    case CRL_MISSING:
        return "CRL missing, not loaded";
    case CRYPTO_POLICY_FORBIDDEN:
        return "Operation forbidden by system crypto-policy";
    case MONITOR_SETUP_E:
        return "CRL monitor setup error";
@ -27313,6 +27548,9 @@ static int ParseCipherList(Suites* suites,
    word16    haveNull         = 1; /* allowed by default if compiled in */
    int       callInitSuites   = 0;
    word16    havePSK          = 0;
    word16    haveAES128       = 1; /* allowed by default if compiled in */
    word16    haveSHA1         = 1; /* allowed by default if compiled in */
    word16    haveRC4          = 1; /* allowed by default if compiled in */
 #endif
    const int suiteSz       = GetCipherNamesSize();
    const char* next        = list;
@ -27337,8 +27575,8 @@ static int ParseCipherList(Suites* suites,
 #else
                0,
 #endif
-                haveRSA, 1, 1, !haveRSA, 1, haveRSA, !haveRSA, 1, 1, 0, 0,
+                haveRSA, 1, 1, !haveRSA, 1, haveRSA, !haveRSA, 0, 0, 1,
-                side
+                1, 1, side
        );
        return 1; /* wolfSSL default */
    }
@ -27539,6 +27777,29 @@ static int ParseCipherList(Suites* suites,
            continue;
        }
        #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
        if (XSTRCMP(name, "AES128") == 0) {
            haveAES128 = allowing;
            callInitSuites = 1;
            ret = 1;
            continue;
        }
        if (XSTRCMP(name, "SHA1") == 0) {
            haveSHA1 = allowing;
            callInitSuites = 1;
            ret = 1;
            continue;
        }
        if (XSTRCMP(name, "RC4") == 0) {
            haveRC4 = allowing;
            callInitSuites = 1;
            ret = 1;
            continue;
        }
        #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
        if (XSTRCMP(name, "LOW") == 0 || XSTRCMP(name, "MEDIUM") == 0) {
            /* No way to limit or allow low bit sizes */
            if (allowing) {
@ -27560,6 +27821,14 @@ static int ParseCipherList(Suites* suites,
            /* wolfSSL doesn't support "export" ciphers. We can skip this */
            continue;
        }
        #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
        if (XSTRNCMP(name, WOLFSSL_SECLEVEL_STR,
                     strlen(WOLFSSL_SECLEVEL_STR)) == 0) {
            /* Skip the "@SECLEVEL=N" string, we'll process it elsewhere. */
            continue;
        }
        #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    #endif /* OPENSSL_EXTRA */
        for (i = 0; i < suiteSz; i++) {
@ -27699,10 +27968,9 @@ static int ParseCipherList(Suites* suites,
                       (word16)((haveSig & SIG_ECDSA) != 0),
                       (word16)haveECC, (word16)haveStaticRSA,
                       (word16)haveStaticECC,
                       (word16)((haveSig & SIG_FALCON) != 0),
                       (word16)((haveSig & SIG_DILITHIUM) != 0),
                       (word16)((haveSig & SIG_ANON) != 0),
-                       (word16)haveNull, side);
+                       (word16)haveNull, (word16)haveAES128,
                       (word16)haveSHA1, (word16)haveRC4, side);
            /* Restore user ciphers ahead of defaults */
            XMEMMOVE(suites->suites + idx, suites->suites,
                    min(suites->suiteSz, WOLFSSL_MAX_SUITE_SZ-idx));
@ -27713,7 +27981,7 @@ static int ParseCipherList(Suites* suites,
        {
            suites->suiteSz   = (word16)idx;
            InitSuitesHashSigAlgo(suites->hashSigAlgo, haveSig, 1, keySz,
-                 &suites->hashSigAlgoSz);
+                                  &suites->hashSigAlgoSz);
        }
 #ifdef HAVE_RENEGOTIATION_INDICATION
@ -36885,9 +37153,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
            InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
                       ssl->options.haveDH, ssl->options.haveECDSAsig,
                       ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-                       ssl->options.haveFalconSig,
+                       ssl->options.useAnon,
-                       ssl->options.haveDilithiumSig, ssl->options.useAnon,
+                       TRUE, TRUE, TRUE, TRUE, ssl->options.side);
                       TRUE, ssl->options.side);
        }
        /* suite size */
@ -37317,9 +37584,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
            InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
                       ssl->options.haveDH, ssl->options.haveECDSAsig,
                       ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-                       ssl->options.haveFalconSig,
+                       ssl->options.useAnon,
-                       ssl->options.haveDilithiumSig, ssl->options.useAnon,
+                       TRUE, TRUE, TRUE, TRUE, ssl->options.side);
                       TRUE, ssl->options.side);
        }
        /* check if option is set to not allow the current version
@ -37395,9 +37661,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
                           ssl->options.haveDH, ssl->options.haveECDSAsig,
                           ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-                           ssl->options.haveFalconSig,
+                           ssl->options.useAnon,
-                           ssl->options.haveDilithiumSig, ssl->options.useAnon,
+                           TRUE, TRUE, TRUE, TRUE, ssl->options.side);
                           TRUE, ssl->options.side);
            }
        }
--- a/src/ssl.c
+++ b/src/ssl.c
@ -281,6 +281,13 @@ int wc_OBJ_sn2nid(const char *sn)
 #ifndef WOLFCRYPT_ONLY
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
 /* The system wide crypto-policy. Configured by wolfSSL_crypto_policy_enable.
 * */
 static struct SystemCryptoPolicy crypto_policy;
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 #if !defined(NO_RSA) || !defined(NO_DH) || defined(HAVE_ECC) || \
    (defined(OPENSSL_EXTRA) && defined(WOLFSSL_KEY_GEN) && !defined(NO_DSA))
@ -1026,6 +1033,10 @@ int GetEchConfigsEx(WOLFSSL_EchConfig* configs, byte* output, word32* outputLen)
 }
 #endif /* WOLFSSL_TLS13 && HAVE_ECH */
 #ifdef OPENSSL_EXTRA
 static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
        Suites* suites, const char* list);
 #endif
 #if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_FSPSM_TLS)
 #include <wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h>
@ -1125,6 +1136,30 @@ WOLFSSL_CTX* wolfSSL_CTX_new_ex(WOLFSSL_METHOD* method, void* heap)
    }
 #endif
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    /* Load the crypto-policy ciphers if configured. */
    if (ctx && wolfSSL_crypto_policy_is_enabled()) {
        const char * list = wolfSSL_crypto_policy_get_ciphers();
        int          ret = 0;
        if (list != NULL && *list != '\0') {
            if (AllocateCtxSuites(ctx) != 0) {
                WOLFSSL_MSG("allocate ctx suites failed");
                wolfSSL_CTX_free(ctx);
                ctx = NULL;
            }
            else {
                ret = wolfSSL_parse_cipher_list(ctx, NULL, ctx->suites, list);
                if (ret != WOLFSSL_SUCCESS) {
                    WOLFSSL_MSG("parse cipher list failed");
                    wolfSSL_CTX_free(ctx);
                    ctx = NULL;
                }
            }
        }
    }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    WOLFSSL_LEAVE("wolfSSL_CTX_new_ex", 0);
    return ctx;
 }
@ -2709,6 +2744,14 @@ int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX* ctx, short keySz)
        return BAD_FUNC_ARG;
    }
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    if (crypto_policy.enabled) {
        if (ctx->minEccKeySz > (keySz / 8)) {
            return CRYPTO_POLICY_FORBIDDEN;
        }
    }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    ctx->minEccKeySz     = keySz / 8;
 #ifndef NO_CERTS
    ctx->cm->minEccKeySz = keySz / 8;
@ -2725,6 +2768,14 @@ int wolfSSL_SetMinEccKey_Sz(WOLFSSL* ssl, short keySz)
        return BAD_FUNC_ARG;
    }
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    if (crypto_policy.enabled) {
        if (ssl->options.minEccKeySz > (keySz / 8)) {
            return CRYPTO_POLICY_FORBIDDEN;
        }
    }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    ssl->options.minEccKeySz = keySz / 8;
    return WOLFSSL_SUCCESS;
 }
@ -2739,6 +2790,14 @@ int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX* ctx, short keySz)
        return BAD_FUNC_ARG;
    }
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    if (crypto_policy.enabled) {
        if (ctx->minRsaKeySz > (keySz / 8)) {
            return CRYPTO_POLICY_FORBIDDEN;
        }
    }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    ctx->minRsaKeySz     = keySz / 8;
    ctx->cm->minRsaKeySz = keySz / 8;
    return WOLFSSL_SUCCESS;
@ -2752,6 +2811,14 @@ int wolfSSL_SetMinRsaKey_Sz(WOLFSSL* ssl, short keySz)
        return BAD_FUNC_ARG;
    }
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    if (crypto_policy.enabled) {
        if (ssl->options.minRsaKeySz > (keySz / 8)) {
            return CRYPTO_POLICY_FORBIDDEN;
        }
    }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    ssl->options.minRsaKeySz = keySz / 8;
    return WOLFSSL_SUCCESS;
 }
@ -2784,6 +2851,14 @@ int wolfSSL_CTX_SetMinDhKey_Sz(WOLFSSL_CTX* ctx, word16 keySz_bits)
    if (ctx == NULL || keySz_bits > 16000 || keySz_bits % 8 != 0)
        return BAD_FUNC_ARG;
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    if (crypto_policy.enabled) {
        if (ctx->minDhKeySz > (keySz_bits / 8)) {
            return CRYPTO_POLICY_FORBIDDEN;
        }
    }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    ctx->minDhKeySz = keySz_bits / 8;
    return WOLFSSL_SUCCESS;
 }
@ -2794,6 +2869,14 @@ int wolfSSL_SetMinDhKey_Sz(WOLFSSL* ssl, word16 keySz_bits)
    if (ssl == NULL || keySz_bits > 16000 || keySz_bits % 8 != 0)
        return BAD_FUNC_ARG;
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    if (crypto_policy.enabled) {
        if (ssl->options.minDhKeySz > (keySz_bits / 8)) {
            return CRYPTO_POLICY_FORBIDDEN;
        }
    }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    ssl->options.minDhKeySz = keySz_bits / 8;
    return WOLFSSL_SUCCESS;
 }
@ -2804,6 +2887,14 @@ int wolfSSL_CTX_SetMaxDhKey_Sz(WOLFSSL_CTX* ctx, word16 keySz_bits)
    if (ctx == NULL || keySz_bits > 16000 || keySz_bits % 8 != 0)
        return BAD_FUNC_ARG;
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    if (crypto_policy.enabled) {
        if (ctx->minDhKeySz > (keySz_bits / 8)) {
            return CRYPTO_POLICY_FORBIDDEN;
        }
    }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    ctx->maxDhKeySz = keySz_bits / 8;
    return WOLFSSL_SUCCESS;
 }
@ -2814,6 +2905,14 @@ int wolfSSL_SetMaxDhKey_Sz(WOLFSSL* ssl, word16 keySz_bits)
    if (ssl == NULL || keySz_bits > 16000 || keySz_bits % 8 != 0)
        return BAD_FUNC_ARG;
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    if (crypto_policy.enabled) {
        if (ssl->options.minDhKeySz > (keySz_bits / 8)) {
            return CRYPTO_POLICY_FORBIDDEN;
        }
    }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    ssl->options.maxDhKeySz = keySz_bits / 8;
    return WOLFSSL_SUCCESS;
 }
@ -4858,6 +4957,12 @@ int wolfSSL_CTX_SetMinVersion(WOLFSSL_CTX* ctx, int version)
        return BAD_FUNC_ARG;
    }
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    if (crypto_policy.enabled) {
        return CRYPTO_POLICY_FORBIDDEN;
    }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    return SetMinVersionHelper(&ctx->minDowngrade, version);
 }
@ -4872,6 +4977,12 @@ int wolfSSL_SetMinVersion(WOLFSSL* ssl, int version)
        return BAD_FUNC_ARG;
    }
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    if (crypto_policy.enabled) {
        return CRYPTO_POLICY_FORBIDDEN;
    }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    return SetMinVersionHelper(&ssl->options.minDowngrade, version);
 }
@ -4981,8 +5092,7 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version)
    InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
               ssl->options.haveDH, ssl->options.haveECDSAsig,
               ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-               ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
+               ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
               ssl->options.useAnon, TRUE, ssl->options.side);
    return WOLFSSL_SUCCESS;
 }
 #endif /* !leanpsk */
@ -5864,6 +5974,11 @@ int wolfSSL_Init(void)
 #endif
    }
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    /* System wide crypto policy disabled by default. */
    XMEMSET(&crypto_policy, 0, sizeof(crypto_policy));
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    if (ret == WOLFSSL_SUCCESS) {
        initRefCount++;
    }
@ -5880,6 +5995,286 @@ int wolfSSL_Init(void)
    return ret;
 }
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
 /* Helper function for wolfSSL_crypto_policy_enable and
 * wolfSSL_crypto_policy_enable_buffer.
 *
 * Parses the crypto policy string, verifies values,
 * and sets in global crypto policy struct. Not thread
 * safe. String length has already been verified.
 *
 * Returns WOLFSSL_SUCCESS on success.
 * Returns CRYPTO_POLICY_FORBIDDEN if already enabled.
 * Returns < 0 on misc error.
 * */
 static int crypto_policy_parse(void)
 {
    const char * hdr = WOLFSSL_SECLEVEL_STR;
    int          sec_level = 0;
    size_t       i = 0;
    /* All policies should begin with "@SECLEVEL=<N>" (N={0..5}) followed
     * by bulk cipher list. */
    if (XMEMCMP(crypto_policy.str, hdr, strlen(hdr)) != 0) {
        WOLFSSL_MSG("error: crypto policy: invalid header");
        return WOLFSSL_BAD_FILE;
    }
    {
        /* Extract the security level. */
        char *       policy_mem = crypto_policy.str;
        policy_mem += strlen(hdr);
        sec_level = (int) (*policy_mem - '0');
    }
    if (sec_level < MIN_WOLFSSL_SEC_LEVEL ||
        sec_level > MAX_WOLFSSL_SEC_LEVEL) {
        WOLFSSL_MSG_EX("error: invalid SECLEVEL: %d", sec_level);
        return WOLFSSL_BAD_FILE;
    }
    /* Remove trailing '\r' or '\n'. */
    for (i = 0; i < MAX_WOLFSSL_CRYPTO_POLICY_SIZE; ++i) {
        if (crypto_policy.str[i] == '\0') {
            break;
        }
        if (crypto_policy.str[i] == '\r' || crypto_policy.str[i] == '\n') {
            crypto_policy.str[i] = '\0';
            break;
        }
    }
    #if defined(DEBUG_WOLFSSL_VERBOSE)
    WOLFSSL_MSG_EX("info: SECLEVEL=%d", sec_level);
    WOLFSSL_MSG_EX("info: using crypto-policy file: %s, %ld", policy_file, sz);
    #endif /* DEBUG_WOLFSSL_VERBOSE */
    crypto_policy.secLevel = sec_level;
    crypto_policy.enabled = 1;
    return WOLFSSL_SUCCESS;
 }
 #ifndef NO_FILESYSTEM
 /* Enables wolfSSL system wide crypto-policy, using the given policy
 * file arg. If NULL is passed, then the default system crypto-policy
 * file that was set at configure time will be used instead.
 *
 * While enabled:
 *   - TLS methods, min key sizes, and cipher lists are all configured
 *     automatically by the policy.
 *   - Attempting to use lesser strength parameters will fail with
 *     error CRYPTO_POLICY_FORBIDDEN.
 *
 * Disable with wolfSSL_crypto_policy_disable.
 *
 * Note: the wolfSSL_crypto_policy_X API are not thread safe, and should
 * only be called at program init time.
 *
 * Returns WOLFSSL_SUCCESS on success.
 * Returns CRYPTO_POLICY_FORBIDDEN if already enabled.
 * Returns < 0 on misc error.
 * */
 int wolfSSL_crypto_policy_enable(const char * policy_file)
 {
    XFILE   file;
    long    sz = 0;
    size_t  n_read = 0;
    WOLFSSL_ENTER("wolfSSL_crypto_policy_enable");
    if (wolfSSL_crypto_policy_is_enabled()) {
        WOLFSSL_MSG_EX("error: crypto policy already enabled: %s",
                       policy_file);
        return CRYPTO_POLICY_FORBIDDEN;
    }
    if (policy_file == NULL) {
        /* Use the configure-time default if NULL passed. */
        policy_file = WC_STRINGIFY(WOLFSSL_CRYPTO_POLICY_FILE);
    }
    if (policy_file == NULL || *policy_file == '\0') {
        WOLFSSL_MSG("error: crypto policy empty file");
        return BAD_FUNC_ARG;
    }
    XMEMSET(&crypto_policy, 0, sizeof(crypto_policy));
    file = XFOPEN(policy_file, "rb");
    if (file == XBADFILE) {
        WOLFSSL_MSG_EX("error: crypto policy file open failed: %s",
                       policy_file);
        return WOLFSSL_BAD_FILE;
    }
    if (XFSEEK(file, 0, XSEEK_END) != 0) {
        WOLFSSL_MSG_EX("error: crypto policy file seek end failed: %s",
                       policy_file);
        XFCLOSE(file);
        return WOLFSSL_BAD_FILE;
    }
    sz = XFTELL(file);
    if (XFSEEK(file, 0, XSEEK_SET) != 0) {
        WOLFSSL_MSG_EX("error: crypto policy file seek failed: %s",
                       policy_file);
        XFCLOSE(file);
        return WOLFSSL_BAD_FILE;
    }
    if (sz <= 0 || sz > MAX_WOLFSSL_CRYPTO_POLICY_SIZE) {
        WOLFSSL_MSG_EX("error: crypto policy file %s, invalid size: %ld",
                       policy_file, sz);
        XFCLOSE(file);
        return WOLFSSL_BAD_FILE;
    }
    n_read = XFREAD(crypto_policy.str, 1, sz, file);
    XFCLOSE(file);
    if (n_read != (size_t) sz) {
        WOLFSSL_MSG_EX("error: crypto policy file %s: read %zu, "
                       "expected %ld", policy_file, n_read, sz);
        return WOLFSSL_BAD_FILE;
    }
    crypto_policy.str[n_read] = '\0';
    return crypto_policy_parse();
 }
 #endif /* ! NO_FILESYSTEM */
 /* Same behavior as wolfSSL_crypto_policy_enable, but loads
 * via memory buf instead of file.
 *
 * Returns WOLFSSL_SUCCESS on success.
 * Returns CRYPTO_POLICY_FORBIDDEN if already enabled.
 * Returns < 0 on misc error.
 * */
 int wolfSSL_crypto_policy_enable_buffer(const char * buf)
 {
    size_t sz = 0;
    WOLFSSL_ENTER("wolfSSL_crypto_policy_enable_buffer");
    if (wolfSSL_crypto_policy_is_enabled()) {
        WOLFSSL_MSG_EX("error: crypto policy already enabled");
        return CRYPTO_POLICY_FORBIDDEN;
    }
    if (buf == NULL || *buf == '\0') {
        return BAD_FUNC_ARG;
    }
    sz = XSTRLEN(buf);
    if (sz == 0 || sz > MAX_WOLFSSL_CRYPTO_POLICY_SIZE) {
        return BAD_FUNC_ARG;
    }
    XMEMSET(&crypto_policy, 0, sizeof(crypto_policy));
    XMEMCPY(crypto_policy.str, buf, sz);
    return crypto_policy_parse();
 }
 /* Returns whether the system wide crypto-policy is enabled.
 *
 * Returns 1 if enabled.
 *         0 if disabled.
 * */
 int wolfSSL_crypto_policy_is_enabled(void)
 {
    WOLFSSL_ENTER("wolfSSL_crypto_policy_is_enabled");
    return crypto_policy.enabled == 1;
 }
 /* Disables the system wide crypto-policy.
 * note: SSL and CTX structures already instantiated will
 * keep their security policy parameters. This will only
 * affect new instantiations.
 * */
 void wolfSSL_crypto_policy_disable(void)
 {
    WOLFSSL_ENTER("wolfSSL_crypto_policy_disable");
    crypto_policy.enabled = 0;
    XMEMSET(&crypto_policy, 0, sizeof(crypto_policy));
    return;
 }
 /* Get the crypto-policy bulk cipher list string.
 * String is not owned by caller, should not be freed.
 *
 * Returns pointer to bulk cipher list string.
 * Returns NULL if NOT enabled, or on error.
 * */
 const char * wolfSSL_crypto_policy_get_ciphers(void)
 {
    WOLFSSL_ENTER("wolfSSL_crypto_policy_get_ciphers");
    if (crypto_policy.enabled == 1) {
        /* The crypto policy config will have
         * this form:
         *   "@SECLEVEL=2:kEECDH:kRSA..." */
        return crypto_policy.str;
    }
    return NULL;
 }
 /* Get the configured crypto-policy security level.
 * A security level of 0 does not impose any additional
 * restrictions.
 *
 * Returns 1 - 5 if enabled.
 * Returns 0 if NOT enabled.
 * */
 int wolfSSL_crypto_policy_get_level(void)
 {
    if (crypto_policy.enabled == 1) {
        return crypto_policy.secLevel;
    }
    return 0;
 }
 /* Get security level from ssl structure.
 * @param ssl  a pointer to WOLFSSL structure
 */
 int wolfSSL_get_security_level(const WOLFSSL * ssl)
 {
    if (ssl == NULL) {
        return BAD_FUNC_ARG;
    }
    return ssl->secLevel;
 }
 #ifndef NO_WOLFSSL_STUB
 /*
 * Set security level (wolfSSL doesn't support setting the security level).
 *
 * The security level can only be set through a system wide crypto-policy
 * with wolfSSL_crypto_policy_enable().
 *
 * @param ssl  a pointer to WOLFSSL structure
 * @param level security level
 */
 void wolfSSL_set_security_level(WOLFSSL * ssl, int level)
 {
    WOLFSSL_ENTER("wolfSSL_set_security_level");
    (void)ssl;
    (void)level;
 }
 #endif /* !NO_WOLFSSL_STUB */
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 #define WOLFSSL_SSL_LOAD_INCLUDED
 #include <src/ssl_load.c>
@ -10470,6 +10865,10 @@ int wolfSSL_Cleanup(void)
    if (!release)
        return ret;
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    wolfSSL_crypto_policy_disable();
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 #ifdef OPENSSL_EXTRA
    wolfSSL_BN_free_one();
 #endif
@ -10915,8 +11314,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
        InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
                   ssl->options.haveDH, ssl->options.haveECDSAsig,
                   ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-                   ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
+                   ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
                   ssl->options.useAnon, TRUE, ssl->options.side);
    }
    #ifdef OPENSSL_EXTRA
    /**
@ -10972,8 +11370,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
        InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
                   ssl->options.haveDH, ssl->options.haveECDSAsig,
                   ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-                   ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
+                   ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
                   ssl->options.useAnon, TRUE, ssl->options.side);
    }
    const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl)
@ -12707,6 +13104,7 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
    if (ctx == NULL) {
        return WOLFSSL_FAILURE;
    }
    if (version != 0) {
        proto = version;
        ctx->minProto = 0; /* turn min proto flag off */
@ -16374,9 +16772,8 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
            InitSuites(ssl->suites, ssl->version, keySz, haveRSA,
                       havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig,
                       ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-                       ssl->options.haveFalconSig,
+                       ssl->options.useAnon,
-                       ssl->options.haveDilithiumSig, ssl->options.useAnon,
+                       TRUE, TRUE, TRUE, TRUE, ssl->options.side);
                       TRUE, ssl->options.side);
        }
        else {
            /* Only preserve overlapping suites */
@ -16397,7 +16794,7 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
             * - haveStaticECC turns off haveRSA
             * - haveECDSAsig turns off haveRSAsig */
            InitSuites(&tmpSuites, ssl->version, 0, 1, 1, 1, haveECDSAsig, 1, 1,
-                    haveStaticECC, 1, 1, 1, 1, ssl->options.side);
+                    haveStaticECC, 1, 1, 1, 1, 1, ssl->options.side);
            for (in = 0, out = 0; in < ssl->suites->suiteSz; in += SUITE_LEN) {
                if (FindSuite(&tmpSuites, ssl->suites->suites[in],
                        ssl->suites->suites[in+1]) >= 0) {
@ -23870,8 +24267,12 @@ int wolfSSL_CTX_set_dh_auto(WOLFSSL_CTX* ctx, int onoff)
 }
 /**
- * set security level (wolfSSL doesn't support security level)
+ * Set security level (wolfSSL doesn't support setting the security level).
- * @param ctx  a pointer to WOLFSSL_EVP_PKEY_CTX structure
+ *
 * The security level can only be set through a system wide crypto-policy
 * with wolfSSL_crypto_policy_enable().
 *
 * @param ctx  a pointer to WOLFSSL_CTX structure
 * @param level security level
 */
 void wolfSSL_CTX_set_security_level(WOLFSSL_CTX* ctx, int level)
@ -23880,16 +24281,20 @@ void wolfSSL_CTX_set_security_level(WOLFSSL_CTX* ctx, int level)
    (void)ctx;
    (void)level;
 }
-/**
+
- * get security level (wolfSSL doesn't support security level)
+int wolfSSL_CTX_get_security_level(const WOLFSSL_CTX * ctx)
 * @param ctx  a pointer to WOLFSSL_EVP_PKEY_CTX structure
 * @return always 0(level 0)
 */
 int wolfSSL_CTX_get_security_level(const WOLFSSL_CTX* ctx)
 {
    WOLFSSL_ENTER("wolfSSL_CTX_get_security_level");
    #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    if (ctx == NULL) {
        return BAD_FUNC_ARG;
    }
    return ctx->secLevel;
    #else
    (void)ctx;
    return 0;
    #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 }
 #if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK)
--- a/src/ssl_load.c
+++ b/src/ssl_load.c
@ -2201,9 +2201,9 @@ static int ProcessBufferResetSuites(WOLFSSL_CTX* ctx, WOLFSSL* ssl, int type)
                InitSuites(ssl->suites, ssl->version, ssl->buffers.keySz,
                    WOLFSSL_HAVE_RSA, SSL_HAVE_PSK(ssl), ssl->options.haveDH,
                    ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE,
-                    ssl->options.haveStaticECC, ssl->options.haveFalconSig,
+                    ssl->options.haveStaticECC,
-                    ssl->options.haveDilithiumSig, ssl->options.useAnon, TRUE,
+                    ssl->options.useAnon, TRUE,
-                    ssl->options.side);
+                    TRUE, TRUE, TRUE, ssl->options.side);
            }
        }
    }
@ -2218,8 +2218,8 @@ static int ProcessBufferResetSuites(WOLFSSL_CTX* ctx, WOLFSSL* ssl, int type)
            InitSuites(ctx->suites, ctx->method->version, ctx->privateKeySz,
                WOLFSSL_HAVE_RSA, CTX_HAVE_PSK(ctx), ctx->haveDH,
                ctx->haveECDSAsig, ctx->haveECC, TRUE, ctx->haveStaticECC,
-                ctx->haveFalconSig, ctx->haveDilithiumSig, CTX_USE_ANON(ctx),
+                CTX_USE_ANON(ctx),
-                TRUE, ctx->method->side);
+                TRUE, TRUE, TRUE, TRUE, ctx->method->side);
        }
    }
@ -5309,9 +5309,9 @@ static int wolfssl_set_tmp_dh(WOLFSSL* ssl, unsigned char* p, int pSz,
        InitSuites(ssl->suites, ssl->version, SSL_KEY_SZ(ssl),
            WOLFSSL_HAVE_RSA, SSL_HAVE_PSK(ssl), ssl->options.haveDH,
            ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE,
-            ssl->options.haveStaticECC, ssl->options.haveFalconSig,
+            ssl->options.haveStaticECC,
-            ssl->options.haveDilithiumSig, ssl->options.useAnon, TRUE,
+            ssl->options.useAnon, TRUE,
-            ssl->options.side);
+            TRUE, TRUE, TRUE, ssl->options.side);
    }
    return ret;
--- a/src/tls13.c
+++ b/src/tls13.c
@ -13976,8 +13976,7 @@ void wolfSSL_set_psk_client_cs_callback(WOLFSSL* ssl,
    InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
               ssl->options.haveDH, ssl->options.haveECDSAsig,
               ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-               ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
+               ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
               ssl->options.useAnon, TRUE, ssl->options.side);
 }
 /* Set the PSK callback that returns the cipher suite for a client to use
@ -14029,8 +14028,7 @@ void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl,
    InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
               ssl->options.haveDH, ssl->options.haveECDSAsig,
               ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-               ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
+               ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
               ssl->options.useAnon, TRUE, ssl->options.side);
 }
 /* Set the PSK callback that returns the cipher suite for a server to use
@ -14079,8 +14077,7 @@ void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl,
    InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
               ssl->options.haveDH, ssl->options.haveECDSAsig,
               ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
-               ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
+               ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
               ssl->options.useAnon, TRUE, ssl->options.side);
 }
 /* Get name of first supported cipher suite that uses the hash indicated.
--- a/tests/api.c
+++ b/tests/api.c
@ -92005,7 +92005,11 @@ static int test_wolfSSL_security_level(void)
        #endif
        SSL_CTX_set_security_level(NULL, 1);
        SSL_CTX_set_security_level(ctx, 1);
        #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
        ExpectIntEQ(SSL_CTX_get_security_level(NULL), BAD_FUNC_ARG);
        #else
        ExpectIntEQ(SSL_CTX_get_security_level(NULL), 0);
        #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
        /* Stub so nothing happens. */
        ExpectIntEQ(SSL_CTX_get_security_level(ctx), 0);
@ -92017,6 +92021,703 @@ static int test_wolfSSL_security_level(void)
    return EXPECT_RESULT();
 }
 /* System wide crypto-policy test.
 *
 * Loads three different policies (legacy, default, future),
 * then tests crypt_policy api.
 * */
 static int test_wolfSSL_crypto_policy(void)
 {
    EXPECT_DECLS;
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY) && !defined(NO_TLS)
    int          rc = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
    const char * policy_list[] = {
        "examples/crypto_policies/legacy/wolfssl.txt",
        "examples/crypto_policies/default/wolfssl.txt",
        "examples/crypto_policies/future/wolfssl.txt",
    };
    const char * ciphers_list[] = {
        "@SECLEVEL=1:EECDH:kRSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK"
        ":!eNULL:!aNULL",
        "@SECLEVEL=2:EECDH:kRSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK"
        ":!RC4:!eNULL:!aNULL",
        "@SECLEVEL=3:EECDH:EDH:PSK:DHEPSK:ECDHEPSK:!RSAPSK:!kRSA"
        ":!AES128:!RC4:!eNULL:!aNULL:!SHA1",
    };
    int          seclevel_list[] = { 1, 2, 3 };
    int          i = 0;
    for (i = 0; i < 3; ++i) {
        const char *  ciphers = NULL;
        int           n_diff = 0;
        WOLFSSL_CTX * ctx = NULL;
        WOLFSSL     * ssl = NULL;
        /* Enable crypto policy. */
        rc = wolfSSL_crypto_policy_enable(policy_list[i]);
        ExpectIntEQ(rc, WOLFSSL_SUCCESS);
        rc = wolfSSL_crypto_policy_is_enabled();
        ExpectIntEQ(rc, 1);
        /* Trying to enable while already enabled should return
         * forbidden. */
        rc = wolfSSL_crypto_policy_enable(policy_list[i]);
        ExpectIntEQ(rc, CRYPTO_POLICY_FORBIDDEN);
        /* Security level and ciphers should match what is expected. */
        rc = wolfSSL_crypto_policy_get_level();
        ExpectIntEQ(rc, seclevel_list[i]);
        ciphers = wolfSSL_crypto_policy_get_ciphers();
        ExpectNotNull(ciphers);
        if (ciphers != NULL) {
            n_diff = XSTRNCMP(ciphers, ciphers_list[i], strlen(ciphers));
            #ifdef DEBUG_WOLFSSL
            if (n_diff) {
                printf("error: got \n%s, expected \n%s\n",
                       ciphers, ciphers_list[i]);
            }
            #endif /* DEBUG_WOLFSSL */
            ExpectIntEQ(n_diff, 0);
        }
        /* TLSv1_2_method should work for all policies. */
        ctx = wolfSSL_CTX_new(wolfTLSv1_2_method());
        ExpectNotNull(ctx);
        if (ctx != NULL) {
            ssl = wolfSSL_new(ctx);
            ExpectNotNull(ssl);
            /* These API should be rejected while enabled. */
            rc = wolfSSL_CTX_SetMinVersion(ctx, WOLFSSL_TLSV1_3);
            ExpectIntEQ(rc, CRYPTO_POLICY_FORBIDDEN);
            rc = wolfSSL_SetMinVersion(ssl, WOLFSSL_TLSV1_3);
            ExpectIntEQ(rc, CRYPTO_POLICY_FORBIDDEN);
        }
        if (ctx != NULL) {
            wolfSSL_CTX_free(ctx);
            ctx = NULL;
        }
        if (ssl != NULL) {
            wolfSSL_free(ssl);
            ssl = NULL;
        }
        wolfSSL_crypto_policy_disable();
        /* Do the same test by buffer. */
        rc = wolfSSL_crypto_policy_enable_buffer(ciphers_list[i]);
        ExpectIntEQ(rc, WOLFSSL_SUCCESS);
        rc = wolfSSL_crypto_policy_is_enabled();
        ExpectIntEQ(rc, 1);
        /* Security level and ciphers should match what is expected. */
        rc = wolfSSL_crypto_policy_get_level();
        ExpectIntEQ(rc, seclevel_list[i]);
        ciphers = wolfSSL_crypto_policy_get_ciphers();
        ExpectNotNull(ciphers);
        if (ciphers != NULL) {
            n_diff = XSTRNCMP(ciphers, ciphers_list[i], strlen(ciphers));
            #ifdef DEBUG_WOLFSSL
            if (n_diff) {
                printf("error: got \n%s, expected \n%s\n",
                       ciphers, ciphers_list[i]);
            }
            #endif /* DEBUG_WOLFSSL */
            ExpectIntEQ(n_diff, 0);
        }
        wolfSSL_crypto_policy_disable();
    }
    wolfSSL_crypto_policy_disable();
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY && !NO_TLS */
    return EXPECT_RESULT();
 }
 /* System wide crypto-policy test: certs and keys.
 *
 * Loads three different policies (legacy, default, future),
 * then tests loading different certificates and keys of
 * varying strength.
 * */
 static int test_wolfSSL_crypto_policy_certs_and_keys(void)
 {
    EXPECT_DECLS;
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY) && !defined(NO_TLS)
    int          rc = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
    const char * policy_list[] = {
        "examples/crypto_policies/legacy/wolfssl.txt",
        "examples/crypto_policies/default/wolfssl.txt",
        "examples/crypto_policies/future/wolfssl.txt",
    };
    int          i = 0;
    for (i = 0; i < 3; ++i) {
        WOLFSSL_CTX * ctx = NULL;
        WOLFSSL     * ssl = NULL;
        int           is_legacy = 0;
        int           is_future = 0;
        /* certs */
        const char *  cert1024 = "certs/1024/client-cert.pem";
        const char *  cert2048 = "certs/client-cert.pem";
        const char *  cert3072 = "certs/3072/client-cert.pem";
        const char *  cert256 = "certs/client-ecc-cert.pem";
        const char *  cert384 = "certs/client-ecc384-cert.pem";
        /* keys */
        const char *  key1024 = "certs/1024/client-key.pem";
        const char *  key2048 = "certs/client-key.pem";
        const char *  key3072 = "certs/3072/client-key.pem";
        const char *  key256 = "certs/ecc-key.pem";
        const char *  key384 = "certs/client-ecc384-key.pem";
        is_legacy = (XSTRSTR(policy_list[i], "legacy") != NULL) ? 1 : 0;
        is_future = (XSTRSTR(policy_list[i], "future") != NULL) ? 1 : 0;
        /* Enable crypto policy. */
        rc = wolfSSL_crypto_policy_enable(policy_list[i]);
        ExpectIntEQ(rc, WOLFSSL_SUCCESS);
        rc = wolfSSL_crypto_policy_is_enabled();
        ExpectIntEQ(rc, 1);
        /* TLSv1_2_method should work for all policies. */
        ctx = wolfSSL_CTX_new(wolfTLSv1_2_method());
        ExpectNotNull(ctx);
        /* Test certs of varying strength. */
        if (ctx != NULL) {
            /* VERIFY_PEER must be set for key/cert checks to be done. */
            wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL);
            /* Test loading a cert with 1024 RSA key size.
             * This should fail for all but legacy. */
            rc = wolfSSL_CTX_use_certificate_chain_file(ctx, cert1024);
            if (is_legacy) {
                ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            }
            else {
                ExpectIntEQ(rc, WOLFSSL_FAILURE);
            }
            /* Test loading a cert with 2048 RSA key size.
             * Future crypto-policy is min 3072 RSA and DH key size,
             * and should fail. */
            rc = wolfSSL_CTX_use_certificate_chain_file(ctx, cert2048);
            if (is_future) {
                /* Future crypto-policy is min 3072 RSA and DH key size, this
                 * and should fail. */
                ExpectIntEQ(rc, WOLFSSL_FAILURE);
                /* Set to VERIFY_NONE. This will disable key size checks,
                 * it should now succeed. */
                wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL);
                rc = wolfSSL_CTX_use_certificate_chain_file(ctx, cert2048);
                ExpectIntEQ(rc, WOLFSSL_SUCCESS);
                /* Set back to verify peer. */
                wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL);
            }
            else {
                ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            }
            /* Test loading a CA cert with 3072 RSA key size.
             * This should succeed for all policies. */
            rc = wolfSSL_CTX_use_certificate_chain_file(ctx, cert3072);
            ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            /* Test loading an ecc cert with 256 key size.
             * This should succeed for all policies. */
            rc = wolfSSL_CTX_use_certificate_chain_file(ctx, cert256);
            ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            /* Test loading an ecc cert with 384 key size.
             * This should succeed for all policies. */
            rc = wolfSSL_CTX_use_certificate_chain_file(ctx, cert384);
            ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            /* cleanup */
            wolfSSL_CTX_free(ctx);
            ctx = NULL;
        }
        /* TLSv1_2_method should work for all policies. */
        ctx = wolfSSL_CTX_new(wolfTLSv1_2_method());
        ExpectNotNull(ctx);
        /* Repeat same tests for keys of varying strength. */
        if (ctx != NULL) {
            /* 1024 RSA */
            rc = SSL_CTX_use_PrivateKey_file(ctx, key1024,
                                             SSL_FILETYPE_PEM);
            if (is_legacy) {
                ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            }
            else {
                ExpectIntEQ(rc, WOLFSSL_FAILURE);
            }
            /* 2048 RSA */
            rc = SSL_CTX_use_PrivateKey_file(ctx, key2048,
                                             SSL_FILETYPE_PEM);
            if (!is_future) {
                ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            }
            else {
                ExpectIntEQ(rc, WOLFSSL_FAILURE);
            }
            /* 3072 RSA */
            rc = SSL_CTX_use_PrivateKey_file(ctx, key3072,
                                             SSL_FILETYPE_PEM);
            ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            /* 256 ecc */
            rc = SSL_CTX_use_PrivateKey_file(ctx, key256,
                                             SSL_FILETYPE_PEM);
            ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            /* 384 ecc */
            rc = SSL_CTX_use_PrivateKey_file(ctx, key384,
                                             SSL_FILETYPE_PEM);
            ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            /* cleanup */
            wolfSSL_CTX_free(ctx);
            ctx = NULL;
        }
        #ifdef HAVE_ECC
        /* Test set ecc min key size. */
        ctx = wolfSSL_CTX_new(wolfTLSv1_2_method());
        ExpectNotNull(ctx);
        if (ctx != NULL) {
            ssl = SSL_new(ctx);
            ExpectNotNull(ssl);
            /* Test setting ctx. */
            rc = wolfSSL_CTX_SetMinEccKey_Sz(ctx, 160);
            if (is_legacy) {
                ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            }
            else {
                ExpectIntEQ(rc, CRYPTO_POLICY_FORBIDDEN);
            }
            rc = wolfSSL_CTX_SetMinEccKey_Sz(ctx, 224);
            if (!is_future) {
                ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            }
            else {
                ExpectIntEQ(rc, CRYPTO_POLICY_FORBIDDEN);
            }
            rc = wolfSSL_CTX_SetMinEccKey_Sz(ctx, 256);
            ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            /* Test setting ssl. */
            if (ssl != NULL) {
                rc = wolfSSL_SetMinEccKey_Sz(ssl, 160);
                if (is_legacy) {
                    ExpectIntEQ(rc, WOLFSSL_SUCCESS);
                }
                else {
                    ExpectIntEQ(rc, CRYPTO_POLICY_FORBIDDEN);
                }
                rc = wolfSSL_SetMinEccKey_Sz(ssl, 224);
                if (!is_future) {
                    ExpectIntEQ(rc, WOLFSSL_SUCCESS);
                }
                else {
                    ExpectIntEQ(rc, CRYPTO_POLICY_FORBIDDEN);
                }
                rc = wolfSSL_SetMinEccKey_Sz(ssl, 256);
                ExpectIntEQ(rc, WOLFSSL_SUCCESS);
                wolfSSL_free(ssl);
                ssl = NULL;
            }
            /* cleanup */
            wolfSSL_CTX_free(ctx);
            ctx = NULL;
        }
        #endif /* HAVE_ECC */
        #if !defined(NO_RSA)
        /* Test set rsa min key size. */
        ctx = wolfSSL_CTX_new(wolfTLSv1_2_method());
        ExpectNotNull(ctx);
        if (ctx != NULL) {
            ssl = SSL_new(ctx);
            ExpectNotNull(ssl);
            /* Test setting ctx. */
            rc = wolfSSL_CTX_SetMinRsaKey_Sz(ctx, 1024);
            if (is_legacy) {
                ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            }
            else {
                ExpectIntEQ(rc, CRYPTO_POLICY_FORBIDDEN);
            }
            rc = wolfSSL_CTX_SetMinRsaKey_Sz(ctx, 2048);
            if (!is_future) {
                ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            }
            else {
                ExpectIntEQ(rc, CRYPTO_POLICY_FORBIDDEN);
            }
            rc = wolfSSL_CTX_SetMinRsaKey_Sz(ctx, 3072);
            ExpectIntEQ(rc, WOLFSSL_SUCCESS);
            /* Test setting ssl. */
            if (ssl != NULL) {
                rc = wolfSSL_SetMinRsaKey_Sz(ssl, 1024);
                if (is_legacy) {
                    ExpectIntEQ(rc, WOLFSSL_SUCCESS);
                }
                else {
                    ExpectIntEQ(rc, CRYPTO_POLICY_FORBIDDEN);
                }
                rc = wolfSSL_SetMinRsaKey_Sz(ssl, 2048);
                if (!is_future) {
                    ExpectIntEQ(rc, WOLFSSL_SUCCESS);
                }
                else {
                    ExpectIntEQ(rc, CRYPTO_POLICY_FORBIDDEN);
                }
                rc = wolfSSL_SetMinRsaKey_Sz(ssl, 3072);
                ExpectIntEQ(rc, WOLFSSL_SUCCESS);
                wolfSSL_free(ssl);
                ssl = NULL;
            }
            /* cleanup */
            wolfSSL_CTX_free(ctx);
            ctx = NULL;
        }
        #endif /* !NO_RSA */
        wolfSSL_crypto_policy_disable();
    }
    wolfSSL_crypto_policy_disable();
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY && !NO_TLS */
    return EXPECT_RESULT();
 }
 /* System wide crypto-policy test: tls and dtls methods.
 * */
 static int test_wolfSSL_crypto_policy_tls_methods(void)
 {
    EXPECT_DECLS;
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY) && !defined(NO_TLS)
    int          rc = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
    const char * policy_list[] = {
        "examples/crypto_policies/legacy/wolfssl.txt",
        "examples/crypto_policies/default/wolfssl.txt",
        "examples/crypto_policies/future/wolfssl.txt",
    };
    int          i = 0;
    for (i = 0; i < 3; ++i) {
        WOLFSSL_CTX * ctx = NULL;
        int           is_legacy = 0;
        is_legacy = (XSTRSTR(policy_list[i], "legacy") != NULL) ? 1 : 0;
        /* Enable crypto policy. */
        rc = wolfSSL_crypto_policy_enable(policy_list[i]);
        ExpectIntEQ(rc, WOLFSSL_SUCCESS);
        rc = wolfSSL_crypto_policy_is_enabled();
        ExpectIntEQ(rc, 1);
        /* Try to use old TLS methods. Only allowed with legacy. */
        #if !defined(NO_OLD_TLS)
        ctx = wolfSSL_CTX_new(wolfTLSv1_1_method());
        if (is_legacy) {
            ExpectNotNull(ctx);
        }
        else {
            ExpectNull(ctx);
        }
        if (ctx != NULL) {
            wolfSSL_CTX_free(ctx);
            ctx = NULL;
        }
        #if defined(WOLFSSL_ALLOW_TLSV10)
        ctx = wolfSSL_CTX_new(wolfTLSv1_method());
        if (is_legacy) {
            ExpectNotNull(ctx);
        }
        else {
            ExpectNull(ctx);
        }
        if (ctx != NULL) {
            wolfSSL_CTX_free(ctx);
            ctx = NULL;
        }
        #endif /* WOLFSSL_ALLOW_TLSV10 */
        #else
        (void) is_legacy;
        #endif /* !NO_OLD_TLS */
        /* TLSv1_2_method should work for all policies. */
        ctx = wolfSSL_CTX_new(wolfTLSv1_2_method());
        ExpectNotNull(ctx);
        if (ctx != NULL) {
            wolfSSL_CTX_free(ctx);
            ctx = NULL;
        }
        ctx = wolfSSL_CTX_new(wolfTLSv1_3_method());
        ExpectNotNull(ctx);
        if (ctx != NULL) {
            wolfSSL_CTX_free(ctx);
            ctx = NULL;
        }
        ctx = wolfSSL_CTX_new(TLS_method());
        ExpectNotNull(ctx);
        if (ctx != NULL) {
            wolfSSL_CTX_free(ctx);
            ctx = NULL;
        }
        #ifdef WOLFSSL_DTLS
        ctx = wolfSSL_CTX_new(DTLS_method());
        ExpectNotNull(ctx);
        if (ctx != NULL) {
            wolfSSL_CTX_free(ctx);
            ctx = NULL;
        }
        ctx = wolfSSL_CTX_new(wolfDTLSv1_2_method());
        ExpectNotNull(ctx);
        if (ctx != NULL) {
            wolfSSL_CTX_free(ctx);
            ctx = NULL;
        }
        #ifndef NO_OLD_TLS
        /* Only allowed with legacy. */
        ctx = wolfSSL_CTX_new(wolfDTLSv1_method());
        if (is_legacy) {
            ExpectNotNull(ctx);
        }
        else {
            ExpectNull(ctx);
        }
        if (ctx != NULL) {
            wolfSSL_CTX_free(ctx);
            ctx = NULL;
        }
        #endif /* !NO_OLD_TLS */
        #endif /* WOLFSSL_DTLS */
        wolfSSL_crypto_policy_disable();
    }
    wolfSSL_crypto_policy_disable();
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY && !NO_TLS */
    return EXPECT_RESULT();
 }
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY) && !defined(NO_TLS)
 /*  Helper function for test_wolfSSL_crypto_policy_ciphers.
 *  Searches ssl suites for cipher string.
 *
 *  Returns   1 if found.
 *  Returns   0 if not found.
 *  Returns < 0 if error.
 * */
 static int crypto_policy_cipher_found(const WOLFSSL * ssl,
                                      const char *    cipher,
                                      int             match)
 {
    WOLF_STACK_OF(WOLFSSL_CIPHER) * sk = NULL;
    WOLFSSL_CIPHER *                current = NULL;
    const char *                    suite;
    int                             found = 0;
    int                             i = 0;
    if (ssl == NULL || cipher == NULL || *cipher == '\0') {
        return -1;
    }
    sk = wolfSSL_get_ciphers_compat(ssl);
    if (sk == NULL) {
        return -1;
    }
    do {
        current = wolfSSL_sk_SSL_CIPHER_value(sk, i++);
        if (current) {
            suite = wolfSSL_CIPHER_get_name(current);
            if (suite) {
                if (match == 1) {
                    /* prefix match */
                    if (XSTRNCMP(suite, cipher, XSTRLEN(cipher)) == 0) {
                        found = 1;
                        break;
                    }
                }
                else if (match == -1) {
                    /* postfix match */
                    if (XSTRLEN(suite) > XSTRLEN(cipher)) {
                        const char * postfix = suite + XSTRLEN(suite)
                                               - XSTRLEN(cipher);
                        if (XSTRNCMP(postfix, cipher, XSTRLEN(cipher)) == 0) {
                            found = 1;
                            break;
                        }
                    }
                }
                else {
                    /* needle in haystack match */
                    if (XSTRSTR(suite, cipher)) {
                        found = 1;
                        break;
                    }
                }
            }
        }
    } while (current);
    return found == 1;
 }
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY && !NO_TLS */
 /* System wide crypto-policy test: ciphers.
 * */
 static int test_wolfSSL_crypto_policy_ciphers(void)
 {
    EXPECT_DECLS;
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY) && !defined(NO_TLS)
    int          rc = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
    const char * policy_list[] = {
        "examples/crypto_policies/legacy/wolfssl.txt",
        "examples/crypto_policies/default/wolfssl.txt",
        "examples/crypto_policies/future/wolfssl.txt",
    };
    int          seclevel_list[] = { 1, 2, 3 };
    int          i = 0;
    int          is_legacy = 0;
    int          is_future = 0;
    for (i = 0; i < 3; ++i) {
        WOLFSSL_CTX * ctx = NULL;
        WOLFSSL     * ssl = NULL;
        int           found = 0;
        is_legacy = (XSTRSTR(policy_list[i], "legacy") != NULL) ? 1 : 0;
        is_future = (XSTRSTR(policy_list[i], "future") != NULL) ? 1 : 0;
        (void) is_legacy;
        /* Enable crypto policy. */
        rc = wolfSSL_crypto_policy_enable(policy_list[i]);
        ExpectIntEQ(rc, WOLFSSL_SUCCESS);
        rc = wolfSSL_crypto_policy_is_enabled();
        ExpectIntEQ(rc, 1);
        ctx = wolfSSL_CTX_new(TLS_method());
        ExpectNotNull(ctx);
        ssl = SSL_new(ctx);
        ExpectNotNull(ssl);
        rc = wolfSSL_CTX_get_security_level(ctx);
        ExpectIntEQ(rc, seclevel_list[i]);
        rc = wolfSSL_get_security_level(ssl);
        ExpectIntEQ(rc, seclevel_list[i]);
        found = crypto_policy_cipher_found(ssl, "RC4", 0);
        ExpectIntEQ(found, is_legacy);
        /* We return a different cipher string depending on build settings. */
        #if !defined(WOLFSSL_CIPHER_INTERNALNAME) && \
        !defined(NO_ERROR_STRINGS) && !defined(WOLFSSL_QT)
        found = crypto_policy_cipher_found(ssl, "AES_128", 0);
        ExpectIntEQ(found, !is_future);
        found = crypto_policy_cipher_found(ssl, "TLS_DHE_RSA_WITH_AES", 1);
        ExpectIntEQ(found, !is_future);
        found = crypto_policy_cipher_found(ssl, "_SHA", -1);
        ExpectIntEQ(found, !is_future);
        #else
        found = crypto_policy_cipher_found(ssl, "AES128", 0);
        ExpectIntEQ(found, !is_future);
        found = crypto_policy_cipher_found(ssl, "DHE-RSA-AES", 1);
        ExpectIntEQ(found, !is_future);
        found = crypto_policy_cipher_found(ssl, "-SHA", -1);
        ExpectIntEQ(found, !is_future);
        #endif
        if (ssl != NULL) {
            SSL_free(ssl);
            ssl = NULL;
        }
        if (ctx != NULL) {
            wolfSSL_CTX_free(ctx);
            ctx = NULL;
        }
        wolfSSL_crypto_policy_disable();
    }
    wolfSSL_crypto_policy_disable();
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY && !NO_TLS */
    return EXPECT_RESULT();
 }
 static int test_wolfSSL_SSL_in_init(void)
 {
    EXPECT_DECLS;
@ -101317,6 +102018,10 @@ TEST_CASE testCases[] = {
 #endif
    TEST_DECL(test_wolfSSL_CTX_get_min_proto_version),
    TEST_DECL(test_wolfSSL_security_level),
    TEST_DECL(test_wolfSSL_crypto_policy),
    TEST_DECL(test_wolfSSL_crypto_policy_certs_and_keys),
    TEST_DECL(test_wolfSSL_crypto_policy_tls_methods),
    TEST_DECL(test_wolfSSL_crypto_policy_ciphers),
    TEST_DECL(test_wolfSSL_SSL_in_init),
    TEST_DECL(test_wolfSSL_CTX_set_timeout),
    TEST_DECL(test_wolfSSL_set_psk_use_session_callback),
--- a/wolfssl/error-ssl.h
+++ b/wolfssl/error-ssl.h
@ -221,6 +221,7 @@ enum wolfSSL_ErrorCodes {
    HRR_COOKIE_ERROR             = -505,   /* HRR msg cookie mismatch */
    UNSUPPORTED_CERTIFICATE      = -506,   /* unsupported certificate type */
    /* PEM and EVP errors */
    WOLFSSL_PEM_R_NO_START_LINE_E = -507,
    WOLFSSL_PEM_R_PROBLEMS_GETTING_PASSWORD_E = -508,
    WOLFSSL_PEM_R_BAD_PASSWORD_READ_E = -509,
@ -232,7 +233,10 @@ enum wolfSSL_ErrorCodes {
    WOLFSSL_EVP_R_DECODE_ERROR   = -514,
    WOLFSSL_EVP_R_PRIVATE_KEY_DECODE_ERROR = -515,
-    WOLFSSL_LAST_E               = -515
+    CRYPTO_POLICY_FORBIDDEN      = -516,   /* operation forbidden by system
                                            * crypto-policy */
    WOLFSSL_LAST_E               = -516
    /* codes -1000 to -1999 are reserved for wolfCrypt. */
 };
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@ -1852,6 +1852,12 @@ enum Misc {
 #ifndef MAX_WOLFSSL_FILE_SIZE
    MAX_WOLFSSL_FILE_SIZE = 1024UL * 1024UL * 4,  /* 4 mb file size alloc limit */
 #endif
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    MAX_WOLFSSL_CRYPTO_POLICY_SIZE = 1024UL, /* Crypto-policy file is one line.
                                              * It should not be large. */
    MIN_WOLFSSL_SEC_LEVEL = 0,
    MAX_WOLFSSL_SEC_LEVEL = 5,
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
    CERT_MIN_SIZE      =  256, /* min PEM cert size with header/footer */
@ -2409,16 +2415,16 @@ typedef struct CipherSuite {
 /* use wolfSSL_API visibility to be able to test in tests/api.c */
 WOLFSSL_API void InitSuitesHashSigAlgo(byte* hashSigAlgo, int have,
-                                             int tls1_2, int keySz,
+                                       int tls1_2, int keySz, word16* len);
                                             word16* len);
 WOLFSSL_LOCAL int AllocateCtxSuites(WOLFSSL_CTX* ctx);
 WOLFSSL_LOCAL int AllocateSuites(WOLFSSL* ssl);
 WOLFSSL_LOCAL void InitSuites(Suites* suites, ProtocolVersion pv, int keySz,
                              word16 haveRSA, word16 havePSK, word16 haveDH,
                              word16 haveECDSAsig, word16 haveECC,
                              word16 haveStaticRSA, word16 haveStaticECC,
-                              word16 haveFalconSig, word16 haveDilithiumSig,
+                              word16 haveAnon, word16 haveNull,
-                              word16 haveAnon, word16 haveNull, int side);
+                              word16 haveAES128, word16 haveSHA1,
                              word16 haveRC4, int side);
 typedef struct TLSX TLSX;
 WOLFSSL_LOCAL int MatchSuite_ex(const WOLFSSL* ssl, Suites* peerSuites,
@ -4177,6 +4183,9 @@ struct WOLFSSL_CTX {
    byte *sigSpec;
    word16 sigSpecSz;
 #endif
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    int secLevel; /* The security level of system-wide crypto policy. */
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 };
 WOLFSSL_LOCAL
@ -6257,8 +6266,20 @@ struct WOLFSSL {
    byte *peerSigSpec;     /* This pointer always owns the memory. */
    word16 peerSigSpecSz;
 #endif
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    int secLevel; /* The security level of system-wide crypto policy. */
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 };
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
 #define WOLFSSL_SECLEVEL_STR "@SECLEVEL="
 struct SystemCryptoPolicy {
    int    enabled;
    int    secLevel;
    char   str[MAX_WOLFSSL_CRYPTO_POLICY_SIZE + 1]; /* + 1 for null term */
 };
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 /*
 * wolfSSL_PEM_read_bio_X509 pushes an ASN_NO_PEM_HEADER error
 * to the error queue on file end. This should not be left
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@ -3202,6 +3202,24 @@ WOLFSSL_ABI WOLFSSL_API int wolfSSL_Init(void);
 /* call when done to cleanup/free session cache mutex / resources  */
 WOLFSSL_ABI WOLFSSL_API int wolfSSL_Cleanup(void);
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
 #ifndef NO_FILESYSTEM
 WOLFSSL_API int    wolfSSL_crypto_policy_enable(const char * policy);
 #endif /* ! NO_FILESYSTEM */
 WOLFSSL_API int    wolfSSL_crypto_policy_enable_buffer(const char * buf);
 WOLFSSL_API void   wolfSSL_crypto_policy_disable(void);
 WOLFSSL_API int    wolfSSL_crypto_policy_is_enabled(void);
 WOLFSSL_API const char * wolfSSL_crypto_policy_get_ciphers(void);
 WOLFSSL_API int    wolfSSL_crypto_policy_get_level(void);
 WOLFSSL_LOCAL int  wolfSSL_crypto_policy_init_ctx(WOLFSSL_CTX * ctx,
                                                  WOLFSSL_METHOD * method);
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 /* compat functions. */
 WOLFSSL_API int    wolfSSL_get_security_level(const WOLFSSL * ssl);
 #ifndef NO_WOLFSSL_STUB
 WOLFSSL_API void   wolfSSL_set_security_level(WOLFSSL * ssl, int level);
 #endif /* !NO_WOLFSSL_STUB */
 /* which library version do we have */
 WOLFSSL_API const char* wolfSSL_lib_version(void);
 #if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
@ -5807,7 +5825,6 @@ WOLFSSL_API int wolfSSL_EVP_PKEY_param_check(WOLFSSL_EVP_PKEY_CTX* ctx);
 #endif
 WOLFSSL_API void wolfSSL_CTX_set_security_level(WOLFSSL_CTX* ctx, int level);
 WOLFSSL_API int wolfSSL_CTX_get_security_level(const WOLFSSL_CTX* ctx);
 WOLFSSL_API int wolfSSL_SESSION_is_resumable(const WOLFSSL_SESSION *s);
 WOLFSSL_API void wolfSSL_CRYPTO_free(void *str, const char *file, int line);
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@ -4333,6 +4333,16 @@ extern void uITRON4_free(void *p) ;
    #error "Please disable DSA if disabling SHA-1"
 #endif
 #if defined(WOLFSSL_SYS_CRYPTO_POLICY)
    #if !defined(WOLFSSL_CRYPTO_POLICY_FILE)
        #error "WOLFSSL_SYS_CRYPTO_POLICY requires a crypto policy file"
    #endif /* ! WOLFSSL_CRYPTO_POLICY_FILE */
    #if !defined(OPENSSL_EXTRA)
        #error "WOLFSSL_SYS_CRYPTO_POLICY requires OPENSSL_EXTRA"
    #endif /* ! OPENSSL_EXTRA */
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 /* if configure.ac turned on this feature, HAVE_ENTROPY_MEMUSE will be set,
 * also define HAVE_WOLFENTROPY */
 #ifdef HAVE_ENTROPY_MEMUSE
		`@ -0,0 +1 @@`
							`@SECLEVEL=2:EECDH:kRSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!RC4:!eNULL:!aNULL`
		`@ -0,0 +1 @@`
							`@SECLEVEL=3:EECDH:EDH:PSK:DHEPSK:ECDHEPSK:!RSAPSK:!kRSA:!AES128:!RC4:!eNULL:!aNULL:!SHA1`
		`@ -0,0 +1 @@`
							`@SECLEVEL=1:EECDH:kRSA:EDH:PSK:DHEPSK:ECDHEPSK:RSAPSK:!eNULL:!aNULL`