On Tue, Apr 21, 2020 at 09:18:05PM +0200, Sebastian Andrzej Siewior wrote: > On 2020-04-15 13:38:23 [+0200], Kurt Roeckx wrote: > > On Wed, Apr 15, 2020 at 12:19:24PM +0100, Simon McVittie wrote: > > > > > > I think setting defaults in the shared library itself would be more > > > robust, and if a configuration file to override that is necessary, > > > > This is also the route that Ubuntu took, because it's possible to > > install the library without the openssl package. I think we should > > do this too. > > > > It causes various issues with the test suite because SHA1 is used > > for various tests. But I think that has been fixed in master, or has a > > pull request. > > > > I would like to drop SHA1 support in testing/unstable anyway, so I > > think we should merge those patches once they've all been merged. > > Ehm. I read this a few times but I have no idea what we are going to do. > Could you please enlighten me?
It's about building with -DOPENSSL_TLS_SECURITY_LEVEL=2, and something like the patch I've used before to set the default TLS version, instead of having both in openssl.cfg. Setting it in the config file should override the build time defaults. Building with that set will cause testsuite errors. Some of those are because SHA1 is being used. In the master branch, things are changing so that SHA1 isn't allowed at security level 1 anymore. For the next release, if we're not shipping 3.0, I would like to at least change that. Kurt