[Bug 1856428] Re: Disable TLS below 1.2 by default
James Henstridge
james.henstridge at canonical.com
Wed Feb 19 05:08:17 UTC 2020
For anyone who finds this bug, and wonders about the "Users can override
this behaviour with a config file" part, here's what I did to get an
OpenSSL-using application to talk to an old server that only supported
TLSv1 (in my case, an old Mumble server):
1. create an "openssl.cnf" file somewhere with the following contents:
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT at SECLEVEL=1
2. set the OPENSSL_CONF environment variable to this file's path when
running the application.
I wouldn't recommend making the change to the global
/etc/ssl/openssl.cnf, or setting $OPENSSL_CONF for situations where it
isn't needed, since this does reduce the default security.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1856428
Title:
Disable TLS below 1.2 by default
Status in gnutls28 package in Ubuntu:
Fix Released
Status in golang-1.13 package in Ubuntu:
New
Status in nss package in Ubuntu:
Fix Released
Status in openssl package in Ubuntu:
Fix Committed
Bug description:
Disable TLS 1.0, TLS1.1, DTLS1.0
As part of focal commitment, we shall disable obsolete protocols by
default.
Users can override this behaviour with a config file.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1856428/+subscriptions
More information about the foundations-bugs
mailing list