Commit 657ef2a7 authored by Ondrej Sury's avatar Ondrej Sury

Drop the patch for setting the minimum security level to TLS 1.2 (that's too...

Drop the patch for setting the minimum security level to TLS 1.2 (that's too draconic for the PPA/DPA)
parent 24924583
openssl (1.1.1-2) unstable; urgency=medium
Following various security recommendations, the default minimum TLS version
has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and Apple
plan to do same around March 2020.
The default security level for TLS connections has also be increased from
level 1 to level 2. This moves from the 80 bit security level to the 112 bit
security level and will require 2048 bit or larger RSA and DHE keys, 224 bit
or larger ECC keys, and SHA-2.
The system wide settings can be changed in /etc/ssl/openssl.cnf. Applications
might also have a way to override the defaults.
In the default /etc/ssl/openssl.cnf there is a MinProtocol and CipherString
line. The CipherString can also sets the security level. Information about the
security levels can be found in the SSL_CTX_set_security_level(3ssl) manpage.
The list of valid strings for the minimum protocol version can be found in
SSL_CONF_cmd(3ssl). Other information can be found in ciphers(1ssl) and
config(5ssl).
Changing back the defaults in /etc/ssl/openssl.cnf to previous system wide
defaults can be done using:
MinProtocol = None
CipherString = DEFAULT
It's recommended that you contact the remote site in case the defaults cause
problems.
-- Kurt Roeckx <kurt@roeckx.be> Sun, 28 Oct 2018 20:58:35 +0100
......@@ -3,4 +3,3 @@ man-section.patch
no-symbolic.patch
pic.patch
c_rehash-compat.patch
Set-systemwide-default-settings-for-libssl-users.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment