Hi Kurt, Christoph, Sebastian, others, On Sat, 20 Apr 2019 06:07:00 +0000 Niels Thykier <ni...@thykier.net> wrote: > clone 927435 -1 > reassign -1 release-notes > retitle -1 release-notes: Document how to handle openssls new defaults
> > After upgrading to buster, unbound-control would fail to run with this > > error.. > > > > error: Error setting up SSL_CTX client cert > > 139765110753216:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key > > too small:../ssl/ssl_rsa.c:310: > > > > To fix this I had to regenerate the certs and keys by removing the old ones > > and > > running unbound-control-setup, then restarting unbound. This fixed the > > issue. > > > > $ cd /etc/unbound/ > > $ sudo rm *.key *.pem > > $ sudo unbound-control-setup > > $ sudo systemctl restart unbound > > > > Note that with unbound-control broken, that broke `systemctl reload > > unbound` as > > it depends on unbound-control. > > > > [...] > > > I have split it into two bugs: > * One for the release-notes because the stricter defaults in OpenSSL > affects multiple programs (I have seen similar issues from e.g. > wpa_supplicant). At this point, we should probably document the > knobs involved[1]. > [1] I believe the alternative is to update /etc/ssl/openssl.cnf, finding > """ > [system_default_sect] > ... > CipherString = DEFAULT@SECLEVEL=2 > """ > > And change that SECLEVEL=2 to SECLEVEL=1. Obviously, this has > system-wide effects and reduces the minimum key size for all things that > do not set their own CipherString (e.g. webservers have configuration to > do that and wpa_supplicant overrides the new default as well as most > WiFi have small keys). Could somebody of the openssl team propose a text that can be added to the release-notes about the new defaults? I am not asking for package specific text (although that is welcome of course), but rather a generic description of the change, what it means, how it can be circumvented and what the drawbacks of that are. Paul
signature.asc
Description: OpenPGP digital signature
