450916
Guide for legacy support enablement
450916
===================================
450916
450916
To improve security provided by use of OpenSSL especially in context of
450916
TLS connections we regularly review and deprecate algorithms and algorithm
450916
settings which are no longer viewed as secure.
450916
450916
For some of these deprecated algorithms we provide a way for the
450916
system administrator to reenable them.
450916
450916
Deprecated algorithms, protocols and settings in OpenSSL
450916
========================================================
450916
450916
Previous Red Hat Enterprise Linux 7 update releases:
450916
450916
* SSL2 protocol disabled by default.
450916
* Minimum DH group size accepted by SSL/TLS client 768 bits.
450916
* Verification of certificates and signatures using MD5 hash
450916
  disabled.
450916
450916
Red Hat Enterprise Linux 7.4:
450916
450916
* SSL2 protocol support completely disabled (cannot be re-enabled).
450916
* All SSL/TLS export ciphers disabled.
450916
* All SSL/TLS ciphersuites with keys smaller than 128 bits disabled.
450916
* Minimum DH group size accepted by SSL/TLS client 1024 bits.
450916
* Disabled support for verification of certificates and signatures
450916
  using MD2, MD4, MD5, and SHA0 hashes.
450916
450916
Legacy support enablement
450916
=========================
450916
450916
The OpenSSL now supports /etc/pki/tls/legacy-settings configuration file
450916
which can be created by the system administrator which contains lines with
450916
simple Key Value pairs.
450916
450916
The library recognizes the following possible configuration settings in
450916
that file:
450916
450916
LegacySigningMDs md2 md5
450916
MinimumDHBits 512
450916
450916
The LegacySigningMDs option allows reenabling support for verification of
450916
signatures with the specified hash algorithms. These can be any combination
450916
of md2, md4, md5 and sha. (sha represents SHA0 algorithm, not SHA1.) Any
450916
unrecognized algorithms are ignored.
450916
450916
The MinimumDHBits option allows setting of the minimum bit size of DH group
450916
accepted by SSL/TLS client. It can be any value between 512 and 10000.
450916
450916
If the configuration file is not present the built-in defaults (that is the
450916
secure defaults) are used. Any unrecognized lines (with other parameter
450916
names or comments) are ignored.