Package: openssl
Version: 3.0.2-1
The openssl.cnf contains an entry for openssl_conf since #12333 [1].
The attached patch-file should work but I haven't tested it yet.
[1] https://github.com/openssl/openssl/pull/12333
From: Sebastian Andrzej Siewior
Date: Tue, 20 Mar 2018 22:07:30 +0100
Subject: Set systemwide default settings for libssl users
This config change enforeces a TLS1.2 protocol version as minimum. It
can be overwritten by the system administrator.
It also changes the default security level from 1 to 2, moving from the 80 bit
security level to the 112 bit security level.
Signed-off-by: Sebastian Andrzej Siewior
---
apps/openssl.cnf | 13 +
1 file changed, 13 insertions(+)
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -52,6 +52,7 @@
[openssl_init]
providers = provider_sect
+ssl_conf = ssl_sect
# List of providers to load
[provider_sect]
@@ -388,3 +389,10 @@
# Certificate revocation
cmd = rr
oldcert = $insta::certout # insta.cert.pem
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+MinProtocol = TLSv1.2
+CipherString = DEFAULT@SECLEVEL=2
smime.p7s
Description: S/MIME cryptographic signature