On Wed, Oct 31, 2018 at 3:07 PM Kurt Roeckx <k...@roeckx.be> wrote: > On Wed, Oct 31, 2018 at 11:08:18AM -0400, Justin Piszcz wrote: > > Package: openssl > > Version: 1.1.1-2 > > > > Bug: Connection failed (20337260938) error:141A318A:SSL > > routines:tls_process_ske_dhe:dh key too small) > > During the upgrade you should have received the following message: > > Following various security recommendations, the default minimum TLS > version > has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft, Google and > Apple > plan to do same around March 2020. > > The default security level for TLS connections has also be increased from > level 1 to level 2. This moves from the 80 bit security level to the 112 > bit > security level and will require 2048 bit or larger RSA and DHE keys, 224 > bit > or larger ECC keys, and SHA-2. > > The system wide settings can be changed in /etc/ssl/openssl.cnf. > Applications > might also have a way to override the defaults. > > In the default /etc/ssl/openssl.cnf there is a MinProtocol and > CipherString > line. The CipherString can also sets the security level. Information > about the > security levels can be found in the SSL_CTX_set_security_level(3ssl) > manpage. > The list of valid strings for the minimum protocol version can be found > in > SSL_CONF_cmd(3ssl). Other information can be found in ciphers(1ssl) and > config(5ssl). > > Changing back the defaults in /etc/ssl/openssl.cnf to previous system > wide > defaults can be done using: > MinProtocol = None > CipherString = DEFAULT > > It's recommended that you contact the remote site in case the defaults > cause > problems. > > > Kurt >
Understood & thank you! Justin.