[Pkg-openssl-devel] Bug#912439: Bug#912439: OpenSSL in Debian Testing breaks SSL connectivity in some cases with hexchat/irssi

Justin Piszcz jpiszcz at lucidpixels.com
Wed Oct 31 20:06:49 GMT 2018 

On Wed, Oct 31, 2018 at 3:07 PM Kurt Roeckx <kurt at roeckx.be> wrote:

> On Wed, Oct 31, 2018 at 11:08:18AM -0400, Justin Piszcz wrote:
> > Package: openssl
> > Version: 1.1.1-2
> >
> > Bug: Connection failed (20337260938) error:141A318A:SSL
> > routines:tls_process_ske_dhe:dh key too small)
>
> During the upgrade you should have received the following message:
>
>   Following various security recommendations, the default minimum TLS
> version
>   has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and
> Apple
>   plan to do same around March 2020.
>
>   The default security level for TLS connections has also be increased from
>   level 1 to level 2. This moves from the 80 bit security level to the 112
> bit
>   security level and will require 2048 bit or larger RSA and DHE keys, 224
> bit
>   or larger ECC keys, and SHA-2.
>
>   The system wide settings can be changed in /etc/ssl/openssl.cnf.
> Applications
>   might also have a way to override the defaults.
>
>   In the default /etc/ssl/openssl.cnf there is a MinProtocol and
> CipherString
>   line. The CipherString can also sets the security level. Information
> about the
>   security levels can be found in the SSL_CTX_set_security_level(3ssl)
> manpage.
>   The list of valid strings for the minimum protocol version can be found
> in
>   SSL_CONF_cmd(3ssl). Other information can be found in ciphers(1ssl) and
>   config(5ssl).
>
>   Changing back the defaults in /etc/ssl/openssl.cnf to previous system
> wide
>   defaults can be done using:
>   MinProtocol = None
>   CipherString = DEFAULT
>
>   It's recommended that you contact the remote site in case the defaults
> cause
>   problems.
>
>
> Kurt
>

Understood & thank you!

Justin.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20181031/1a7d7279/attachment.html>

More information about the Pkg-openssl-devel mailing list