[Bug 1856428] Re: Disable TLS below 1.2 by default
James Henstridge
james.henstridge at canonical.com
Wed Feb 19 05:08:17 UTC 2020
For anyone who finds this bug, and wonders about the "Users can override
this behaviour with a config file" part, here's what I did to get an
OpenSSL-using application to talk to an old server that only supported
TLSv1 (in my case, an old Mumble server):
1. create an "openssl.cnf" file somewhere with the following contents:
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT at SECLEVEL=1
2. set the OPENSSL_CONF environment variable to this file's path when
running the application.
I wouldn't recommend making the change to the global
/etc/ssl/openssl.cnf, or setting $OPENSSL_CONF for situations where it
isn't needed, since this does reduce the default security.
--
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1856428
Title:
Disable TLS below 1.2 by default
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1856428/+subscriptions
More information about the Ubuntu-mozillateam-bugs
mailing list