[Pkg-openssl-devel] Bug#912439: Bug#912439: OpenSSL in Debian Testing breaks SSL connectivity in some cases with hexchat/irssi
Justin Piszcz
jpiszcz at lucidpixels.com
Wed Oct 31 20:06:49 GMT 2018
On Wed, Oct 31, 2018 at 3:07 PM Kurt Roeckx <kurt at roeckx.be> wrote:
> On Wed, Oct 31, 2018 at 11:08:18AM -0400, Justin Piszcz wrote:
> > Package: openssl
> > Version: 1.1.1-2
> >
> > Bug: Connection failed (20337260938) error:141A318A:SSL
> > routines:tls_process_ske_dhe:dh key too small)
>
> During the upgrade you should have received the following message:
>
> Following various security recommendations, the default minimum TLS
> version
> has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and
> Apple
> plan to do same around March 2020.
>
> The default security level for TLS connections has also be increased from
> level 1 to level 2. This moves from the 80 bit security level to the 112
> bit
> security level and will require 2048 bit or larger RSA and DHE keys, 224
> bit
> or larger ECC keys, and SHA-2.
>
> The system wide settings can be changed in /etc/ssl/openssl.cnf.
> Applications
> might also have a way to override the defaults.
>
> In the default /etc/ssl/openssl.cnf there is a MinProtocol and
> CipherString
> line. The CipherString can also sets the security level. Information
> about the
> security levels can be found in the SSL_CTX_set_security_level(3ssl)
> manpage.
> The list of valid strings for the minimum protocol version can be found
> in
> SSL_CONF_cmd(3ssl). Other information can be found in ciphers(1ssl) and
> config(5ssl).
>
> Changing back the defaults in /etc/ssl/openssl.cnf to previous system
> wide
> defaults can be done using:
> MinProtocol = None
> CipherString = DEFAULT
>
> It's recommended that you contact the remote site in case the defaults
> cause
> problems.
>
>
> Kurt
>
Understood & thank you!
Justin.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20181031/1a7d7279/attachment.html>
More information about the Pkg-openssl-devel
mailing list