On Tue, 2022-03-22 at 22:13 +0100, Sebastian Andrzej Siewior wrote:
> On 2022-03-22 21:47:52 [+0100], Kurt Roeckx wrote:
> > On Tue, Mar 22, 2022 at 08:19:01PM +0000, Adam D. Barratt wrote:
> > > OpenSSL signature algorithm check tightening
> > > =============================================
> > >
> > > The OpenSSL update included in this point release includes a
> > > change to
> > > ensure that the requested signature algorithm is supported by the
> > > active security level.
> > >
> > > Although this will not affect most use-cases, it could lead to
> > > error
> > > messages being generated if a non-supported algorithm is
> > > requested -
> > > for example, use of SHA1 with the default security level of 2. In
> > > such
> > > cases, the security level will need to be explicitly lowered when
> > > invoking OpenSSL, using an option such as
> > >
> > > -cipher "ALL:@SECLEVEL=1"
> > > "
> >
> > So reading it again, I think the "when invoking OpenSSL" is
> > confusing.
> > Not only the openssl binary is affected, but also all clients and
> > server applications making use of the library are. Some
> > applications
> > might have a way to set the cipher in their own configuration file,
> > others might need to change the defaults in /etc/ssl/openssl.cfg
>
> s/openssl.cfg/openssl.cnf
Right, let's have another go at this then:
"
OpenSSL signature algorithm check tightening
=============================================
The OpenSSL update provided in this point release includes a
change to ensure that the requested signature algorithm is
supported by the active security level.
Although this will not affect most use-cases, it could lead to
error messages being generated if a non-supported algorithm is
requested - for example, use of RSA+SHA1 signatures with the default
security level of 2.
In such cases, the security level will need to be explicitly
lowered, either for individual requests or more globally. This
may require changes to the configuration of aplications. For
OpenSSL itself, per-request lowering can be achieved using a
command-line option such as
-cipher "ALL:@SECLEVEL=1"
with the relevant system-level configuration being found in
/etc/ssl/openssl.cnf
"
Is that any better? Further suggestions welcome, but I'm trying not to
make it longer than the rest of the text combined. :-)
Regards,
Adam
