On Wed, 2022-03-23 at 22:38 +0100, Sebastian Andrzej Siewior wrote: > On 2022-03-23 17:40:59 [+0000], Adam D. Barratt wrote: > > Right, let's have another go at this then: > > > > " > > OpenSSL signature algorithm check tightening > > ============================================= > > > > The OpenSSL update provided in this point release includes a > > change to ensure that the requested signature algorithm is > > supported by the active security level. > > > > Although this will not affect most use-cases, it could lead to > > error messages being generated if a non-supported algorithm is > > requested - for example, use of RSA+SHA1 signatures with the > > default > > security level of 2. > > > > In such cases, the security level will need to be explicitly > > lowered, either for individual requests or more globally. This > > may require changes to the configuration of aplications. For > > OpenSSL itself, per-request lowering can be achieved using a > > command-line option such as > > > > -cipher "ALL:@SECLEVEL=1" > > > > with the relevant system-level configuration being found in > > /etc/ssl/openssl.cnf > > " > > > > Is that any better? Further suggestions welcome, but I'm trying not > > to > > make it longer than the rest of the text combined. :-) > > This good Adam, thank you. I have nothing to add. >
Thanks. I've added that text to the announcement for the buster point release. If anyone has any changes, please yell ASAP. Regards, Adam
