On Tue, Mar 22, 2022 at 08:19:01PM +0000, Adam D. Barratt wrote: > OpenSSL signature algorithm check tightening > ============================================= > > The OpenSSL update included in this point release includes a change to > ensure that the requested signature algorithm is supported by the > active security level. > > Although this will not affect most use-cases, it could lead to error > messages being generated if a non-supported algorithm is requested - > for example, use of SHA1 with the default security level of 2. In such > cases, the security level will need to be explicitly lowered when > invoking OpenSSL, using an option such as > > -cipher "ALL:@SECLEVEL=1" > "
So reading it again, I think the "when invoking OpenSSL" is confusing. Not only the openssl binary is affected, but also all clients and server applications making use of the library are. Some applications might have a way to set the cipher in their own configuration file, others might need to change the defaults in /etc/ssl/openssl.cfg Kurt
