Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
On Wed, 2022-03-23 at 22:38 +0100, Sebastian Andrzej Siewior wrote:
> On 2022-03-23 17:40:59 [+0000], Adam D. Barratt wrote:
> > Right, let's have another go at this then:
> >
> > "
> > OpenSSL signature algorithm check tightening
> > =============================================
> >
> > The OpenSSL update provided in this point release includes a
> > change to ensure that the requested signature algorithm is
> > supported by the active security level.
> >
> > Although this will not affect most use-cases, it could lead to
> > error messages being generated if a non-supported algorithm is
> > requested - for example, use of RSA+SHA1 signatures with the
> > default
> > security level of 2.
> >
> > In such cases, the security level will need to be explicitly
> > lowered, either for individual requests or more globally. This
> > may require changes to the configuration of aplications. For
> > OpenSSL itself, per-request lowering can be achieved using a
> > command-line option such as
> >
> > -cipher "ALL:@SECLEVEL=1"
> >
> > with the relevant system-level configuration being found in
> > /etc/ssl/openssl.cnf
> > "
> >
> > Is that any better? Further suggestions welcome, but I'm trying not
> > to
> > make it longer than the rest of the text combined. :-)
>
> This good Adam, thank you. I have nothing to add.
>
Thanks.
I've added that text to the announcement for the buster point release.
If anyone has any changes, please yell ASAP.
Regards,
Adam
Reply to: