[Pkg-openssl-devel] Bug#912439: Bug#912439: OpenSSL in Debian Testing breaks SSL connectivity in some cases with hexchat/irssi
Kurt Roeckx
kurt at roeckx.be
Wed Oct 31 19:07:56 GMT 2018
On Wed, Oct 31, 2018 at 11:08:18AM -0400, Justin Piszcz wrote:
> Package: openssl
> Version: 1.1.1-2
>
> Bug: Connection failed (20337260938) error:141A318A:SSL
> routines:tls_process_ske_dhe:dh key too small)
During the upgrade you should have received the following message:
Following various security recommendations, the default minimum TLS version
has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and Apple
plan to do same around March 2020.
The default security level for TLS connections has also be increased from
level 1 to level 2. This moves from the 80 bit security level to the 112 bit
security level and will require 2048 bit or larger RSA and DHE keys, 224 bit
or larger ECC keys, and SHA-2.
The system wide settings can be changed in /etc/ssl/openssl.cnf. Applications
might also have a way to override the defaults.
In the default /etc/ssl/openssl.cnf there is a MinProtocol and CipherString
line. The CipherString can also sets the security level. Information about the
security levels can be found in the SSL_CTX_set_security_level(3ssl) manpage.
The list of valid strings for the minimum protocol version can be found in
SSL_CONF_cmd(3ssl). Other information can be found in ciphers(1ssl) and
config(5ssl).
Changing back the defaults in /etc/ssl/openssl.cnf to previous system wide
defaults can be done using:
MinProtocol = None
CipherString = DEFAULT
It's recommended that you contact the remote site in case the defaults cause
problems.
Kurt
More information about the Pkg-openssl-devel
mailing list