How to further handle Openssl 1.1.1 in Bionic?
Robie Basak
robie.basak at ubuntu.com
Thu Oct 10 12:36:01 UTC 2019
On Thu, Oct 10, 2019 at 11:03:43AM +0100, Dimitri John Ledkov wrote:
> That's not quite correct assessment of things. We will break people
> and will trade connectivity for better security. That's why we have
> disabled SSLv3, mitigated poodle attacks, etc. We will continue to
> require entropy, and higher key sizes, and better key-exchange
> algorithms as we go along. And sometimes that includes security
> updates, which SRUs build on top of. The change-effect you describe is
> due to a security update of openssl, which trumps SRUs. OpenSSL 1.1.0
> & 1.1.1 have raised a set of minimum key size requirements, mostly
> breaking all the test-suites with pre-generated tiny keys, but some
> real users too.
>
> As a local configuration, I believe one can lower OpenSSL security
> requirements by setting CipherString = DEFAULT at SECLEVEL=0 which will
> bring down requirements down to like pre 1.0.2, but that should only
> done as a local site configuration, and clients haunted down and
> upgraded/fixed.
This is useful to know, thanks.
Is there any place we're maintaining documentation on this? It would be
handy to be able to point affected users to somewhere with an
explanation of what we're changing and why, with suggestions for
workarounds.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20191010/771a1d8b/attachment.sig>
More information about the ubuntu-devel
mailing list