On 2022-03-22 21:47:52 [+0100], Kurt Roeckx wrote:
> On Tue, Mar 22, 2022 at 08:19:01PM +0000, Adam D. Barratt wrote:
> > OpenSSL signature algorithm check tightening
> > =============================================
> >
> > The OpenSSL update included in this point release includes a change to
> > ensure that the requested signature algorithm is supported by the
> > active security level.
> >
> > Although this will not affect most use-cases, it could lead to error
> > messages being generated if a non-supported algorithm is requested -
> > for example, use of SHA1 with the default security level of 2. In such
> > cases, the security level will need to be explicitly lowered when
> > invoking OpenSSL, using an option such as
> >
> > -cipher "ALL:@SECLEVEL=1"
> > "
>
> So reading it again, I think the "when invoking OpenSSL" is confusing.
> Not only the openssl binary is affected, but also all clients and
> server applications making use of the library are. Some applications
> might have a way to set the cipher in their own configuration file,
> others might need to change the defaults in /etc/ssl/openssl.cfg
s/openssl.cfg/openssl.cnf
Kurt correct me if I'm wrong:
This only affects clients which were using TLS1.2 while connecting to
the server and did not send a sig-alg string which let the server
fallback to the default (sha1) which was not checked vs security level.
Would the client have sent sha1 as the sig-cipher then it would fail in
the version d, too.
Would the client need a lower protocol (TLSv1.0) then it would fail, too.
In these two cases the server administrator must have lowered the
security level to 1 (for the announced low sig-alg) and/or allow TLSv1
in order for the client to connect. (The same for the other way around).
I don't know which clients/server don't send sig-alg version. The test
in gnutls explicitly used TLSv1.0. The server check from ssllabs does
not expose server's sig-alg that was used during the handshake. Someone
complained about it:
https://github.com/ssllabs/ssllabs-scan/issues/465
>
> Kurt
Sebastian
