[Pkg-openssl-devel] Building alpha3 with -DOPENSSL_TLS_SECURITY_LEVEL=2

Kurt Roeckx kurt at roeckx.be
Wed Jun 17 21:28:59 BST 2020


On Wed, Jun 17, 2020 at 10:14:43PM +0200, Sebastian Andrzej Siewior wrote:
> On 2020-06-17 22:00:30 [+0200], Kurt Roeckx wrote:
> > > So how do we get DEFAULT at SECLEVEL=2 and MinProtocol = TLSv1.2 by default
> > > and so that it could be overriden?
> > 
> > The plan is to get older versions disabled by disabling SHA1 and
> > MD5 at security level 1.
> 
> So you say we don't disable TLS1.0+TLS1.1 by default but we don't allow
> SHA1 as MAC so only and since SHA256/AEAD is only defined in TLSv1.2 we
> would end up with no common cipher for <TLSv1.2.
> 
> Okay. I try to remember this. Are the wheels in motion for this plan?

Yes: https://github.com/openssl/openssl/pull/10787


Kurt




More information about the Pkg-openssl-devel mailing list