<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Wed, Oct 31, 2018 at 3:07 PM Kurt Roeckx <<a href="mailto:kurt@roeckx.be" target="_blank">kurt@roeckx.be</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Wed, Oct 31, 2018 at 11:08:18AM -0400, Justin Piszcz wrote:<br>
> Package: openssl<br>
> Version: 1.1.1-2<br>
> <br>
> Bug: Connection failed (20337260938) error:141A318A:SSL<br>
> routines:tls_process_ske_dhe:dh key too small)<br>
<br>
During the upgrade you should have received the following message:<br>
<br>
Following various security recommendations, the default minimum TLS version<br>
has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and Apple<br>
plan to do same around March 2020.<br>
<br>
The default security level for TLS connections has also be increased from<br>
level 1 to level 2. This moves from the 80 bit security level to the 112 bit<br>
security level and will require 2048 bit or larger RSA and DHE keys, 224 bit<br>
or larger ECC keys, and SHA-2.<br>
<br>
The system wide settings can be changed in /etc/ssl/openssl.cnf. Applications<br>
might also have a way to override the defaults.<br>
<br>
In the default /etc/ssl/openssl.cnf there is a MinProtocol and CipherString<br>
line. The CipherString can also sets the security level. Information about the<br>
security levels can be found in the SSL_CTX_set_security_level(3ssl) manpage.<br>
The list of valid strings for the minimum protocol version can be found in<br>
SSL_CONF_cmd(3ssl). Other information can be found in ciphers(1ssl) and<br>
config(5ssl).<br>
<br>
Changing back the defaults in /etc/ssl/openssl.cnf to previous system wide<br>
defaults can be done using:<br>
MinProtocol = None<br>
CipherString = DEFAULT<br>
<br>
It's recommended that you contact the remote site in case the defaults cause<br>
problems.<br>
<br>
<br>
Kurt<br></blockquote><div><br></div><div>Understood & thank you!</div><div><br></div><div>Justin.</div><div> </div></div></div>