** Description changed: - openssl.cnf as provided misses some directive, which make it a bit - difficult to change security level, which since openssl 3 disables SHA1 - signatures. + [Impact] + + The OpenSSL 3.0 lead to a lot of broken setups. Some of them are + regressions, but others are simply broken due to the use of outdated + algorithms, such as SHA-1 signature on certificates. Changing the + security level is a common action to identify and work around such + cases, and as such the user should be able to change it easily in the + default config file. + + The fix is to partially revert our delta that ignored a Debian patch: + instead of ignoring the patch entirely, we modify it to only affect the + default configuration file, and in a way that matches our patchset. + Using this approach will allow us to pick up on Debian's changes more + easily during subsequent merges. + + [Test Plan] + + To easily check that the setting is taken into account, one can use + 'openssl ciphers -s' + + $ openssl ciphers -v -s | wc -l # Uses the default value + 30 + $ openssl ciphers -v -s 'DEFAULT:@SECLEVEL=2' | wc -l + 30 + $ openssl ciphers -v -s 'DEFAULT:@SECLEVEL=3' | wc -l + 24 + $ vim /etc/ssl/openssl.cf # edit the config file to bump the seclevel to 3 + $ openssl ciphers -v -s | wc -l # Uses the new value from the config file + 24 + + [Where problems could occur] + + The changes could break the overall configuration of OpenSSL! + + [Origin report] + openssl.cnf as provided misses some directive, which make it a bit difficult to change security level, which since openssl 3 disables SHA1 signatures. See also this Debian bug https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=1010360 and the committed fix: https://salsa.debian.org/debian/openssl/-/commit/b507914c40270e32cde6afcc8af93707c225e7f4 Can you please sync this change in Ubuntu openssl? This way one should just add a single directive to change the security level. Thanks.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1972056 Title: [openssl3] please sync openssl.cnf to ease changing security level To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1972056/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
