issues.dbk: OpenSSL default version raised

Taken from /usr/share/doc/libssl1.1/NEWS.Debian.gz Closes: #927461

issues.dbk: OpenSSL default version raised
04360d30 · Paul Gevers · f1125579 · 04360d30
Verified Commit 04360d30 authored 6 years ago by Paul Gevers
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -164,6 +164,52 @@ $ sudo update-initramfs -u
    </para>
  </section>

+  <section id="openssl-defaults">
+    <!-- stretch to buster -->
+    <title>OpenSSL default version and security level raised</title>
+    <para>
+      Following various security recommendations, the default minimum TLS
+      version has been changed from TLSv1 to TLSv1.2.
+    </para>
+    <para>
+      The default security level for TLS connections has also be increased from
+      level 1 to level 2. This moves from the 80 bit security level to the 112
+      bit security level and will require 2048 bit or larger RSA and DHE keys,
+      224 bit or larger ECC keys, and SHA-2.
+    </para>
+    <para>
+      The system wide settings can be changed in
+      <filename>/etc/ssl/openssl.cnf</filename>. Applications might also have
+      an application specific way to override the defaults.
+    </para>
+    <para>
+      In the default <filename>/etc/ssl/openssl.cnf</filename> there is a
+      <literal>MinProtocol</literal> and <literal>CipherString</literal>
+      line. The <literal>CipherString</literal> can also sets the security
+      level. Information about the security levels can be found in the <ulink
+      url="https://manpages.debian.org/SSL_CTX_set_security_level(3ssl)">SSL_CTX_set_security_level(3ssl)</ulink>
+      manpage. The list of valid strings for the minimum protocol version can
+      be found in <ulink
+      url="https://manpages.debian.org/SSL_CONF_cmd(3ssl)">SSL_CONF_cmd(3ssl)</ulink>. Other
+      information can be found in <ulink
+      url="https://manpages.debian.org/ciphers(1ssl)">ciphers(1ssl)</ulink> and
+      <ulink
+      url="https://manpages.debian.org/config(5ssl)">config(5ssl)</ulink>.
+    </para>
+    <para>
+      Changing back the defaults in <filename>/etc/ssl/openssl.cnf</filename>
+      to previous system wide defaults can be done using:
+      <programlisting>
+        MinProtocol = None
+        CipherString = DEFAULT
+      </programlisting>
+    </para>
+    <para>
+      It's recommended that you contact the remote site in case the defaults
+      cause problems.
+    </para>
+  </section>
+
  <section id="noteworthy-obsolete-packages" condition="fixme">
    <title>Noteworthy obsolete packages</title>
    <para>