Web lists-archives.com

Re: dovecot, openssl, TLS1.0




On Mon, 5 Nov 2018 17:46:14 +0100
Jan Foniok <jan.foniok@xxxxxxxxxxxxxxxxxxx> wrote:

Hello Jan,

Putting this back on D-U...

>thanks a lot for your reply and excuse my inexperience.

My apologies;  That's my fault.  I made an unwarranted assumption about
your experience level.

>In spite of some effort I haven't found this sysadmin. Can you please
>give me some pointers...

Important information regarding an update, such as a change in default
behaviour of a package, is emailed to the sysadmin user.  This is usually
root, IIRC, but can be reconfigured to be anybody.  To read it, either
set up your email package to check for mail locally (i.e. collect it from 
/var/mail/username), or simply look at the message in /var/mail/ -
it's plain text, of course.

Just in case it's gone, I repeat the message in its entirety here:

<quote>
openssl (1.1.1-2) unstable; urgency=medium

  Following various security recommendations, the default minimum TLS
  version has been changed from TLSv1 to TLSv1.2. Mozilla, Microsoft,
  Google and Apple plan to do same around March 2020.

  The default security level for TLS connections has also be increased
  from level 1 to level 2. This moves from the 80 bit security level to
  the 112 bit security level and will require 2048 bit or larger RSA and
  DHE keys, 224 bit or larger ECC keys, and SHA-2.

  The system wide settings can be changed in /etc/ssl/openssl.cnf.
  Applications might also have a way to override the defaults.

  In the default /etc/ssl/openssl.cnf there is a MinProtocol and
  CipherString line. The CipherString can also sets the security level.
  Information about the security levels can be found in the
  SSL_CTX_set_security_level(3ssl) manpage. The list of valid strings
  for the minimum protocol version can be found in SSL_CONF_cmd(3ssl).
  Other information can be found in ciphers(1ssl) and config(5ssl).

  Changing back the defaults in /etc/ssl/openssl.cnf to previous system
  wide defaults can be done using:
  MinProtocol = None
  CipherString = DEFAULT
</quote>

Hopefully, that points you in the right direction, and you'll be able
to make adjustments to your set up to suit your needs.

-- 
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
You don't entertain ideas you simply bore them
I Don't Like You - Stiff Little Fingers

Attachment: pgpC9xXcc4ap0.pgp
Description: OpenPGP digital signature