[Pkg-openssl-devel] Bug#927461: release-notes: Document how to handle openssls new defaults
Paul Gevers
elbrus at debian.org
Sun Apr 21 15:52:30 BST 2019
Hi Kurt, Christoph, Sebastian, others,
On Sat, 20 Apr 2019 06:07:00 +0000 Niels Thykier <niels at thykier.net> wrote:
> clone 927435 -1
> reassign -1 release-notes
> retitle -1 release-notes: Document how to handle openssls new defaults
> > After upgrading to buster, unbound-control would fail to run with this error..
> >
> > error: Error setting up SSL_CTX client cert
> > 139765110753216:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310:
> >
> > To fix this I had to regenerate the certs and keys by removing the old ones and
> > running unbound-control-setup, then restarting unbound. This fixed the issue.
> >
> > $ cd /etc/unbound/
> > $ sudo rm *.key *.pem
> > $ sudo unbound-control-setup
> > $ sudo systemctl restart unbound
> >
> > Note that with unbound-control broken, that broke `systemctl reload unbound` as
> > it depends on unbound-control.
> >
> > [...]
> >
> I have split it into two bugs:
> * One for the release-notes because the stricter defaults in OpenSSL
> affects multiple programs (I have seen similar issues from e.g.
> wpa_supplicant). At this point, we should probably document the
> knobs involved[1].
> [1] I believe the alternative is to update /etc/ssl/openssl.cnf, finding
> """
> [system_default_sect]
> ...
> CipherString = DEFAULT at SECLEVEL=2
> """
>
> And change that SECLEVEL=2 to SECLEVEL=1. Obviously, this has
> system-wide effects and reduces the minimum key size for all things that
> do not set their own CipherString (e.g. webservers have configuration to
> do that and wpa_supplicant overrides the new default as well as most
> WiFi have small keys).
Could somebody of the openssl team propose a text that can be added to
the release-notes about the new defaults? I am not asking for package
specific text (although that is welcome of course), but rather a generic
description of the change, what it means, how it can be circumvented and
what the drawbacks of that are.
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20190421/b426b62f/attachment.sig>
More information about the Pkg-openssl-devel
mailing list