On Thu, Oct 10, 2019 at 11:03:43AM +0100, Dimitri John Ledkov wrote:
> That's not quite correct assessment of things. We will break people
> and will trade connectivity for better security. That's why we have
> disabled SSLv3, mitigated poodle attacks, etc. We will continue to
> require entropy, and higher key sizes, and better key-exchange
> algorithms as we go along. And sometimes that includes security
> updates, which SRUs build on top of. The change-effect you describe is
> due to a security update of openssl, which trumps SRUs. OpenSSL 1.1.0
> & 1.1.1 have raised a set of minimum key size requirements, mostly
> breaking all the test-suites with pre-generated tiny keys, but some
> real users too.
>
> As a local configuration, I believe one can lower OpenSSL security
> requirements by setting CipherString = DEFAULT@SECLEVEL=0 which will
> bring down requirements down to like pre 1.0.2, but that should only
> done as a local site configuration, and clients haunted down and
> upgraded/fixed.
This is useful to know, thanks.
Is there any place we're maintaining documentation on this? It would be
handy to be able to point affected users to somewhere with an
explanation of what we're changing and why, with suggestions for
workarounds.
