Blame SOURCES/README.legacy-settings

cfec1a
Guide for legacy support enablement
cfec1a
===================================
cfec1a
cfec1a
To improve security provided by use of OpenSSL especially in context of
cfec1a
TLS connections we regularly review and deprecate algorithms and algorithm
cfec1a
settings which are no longer viewed as secure.
cfec1a
cfec1a
For some of these deprecated algorithms we provide a way for the
cfec1a
system administrator to reenable them.
cfec1a
cfec1a
Deprecated algorithms, protocols and settings in OpenSSL
cfec1a
========================================================
cfec1a
cfec1a
Previous Red Hat Enterprise Linux 7 update releases:
cfec1a
cfec1a
* SSL2 protocol disabled by default.
cfec1a
* Minimum DH group size accepted by SSL/TLS client 768 bits.
cfec1a
* Verification of certificates and signatures using MD5 hash
cfec1a
  disabled.
cfec1a
cfec1a
Red Hat Enterprise Linux 7.4:
cfec1a
cfec1a
* SSL2 protocol support completely disabled (cannot be re-enabled).
cfec1a
* All SSL/TLS export ciphers disabled.
cfec1a
* All SSL/TLS ciphersuites with keys smaller than 128 bits disabled.
cfec1a
* Minimum DH group size accepted by SSL/TLS client 1024 bits.
cfec1a
* Disabled support for verification of certificates and signatures
cfec1a
  using MD2, MD4, MD5, and SHA0 hashes.
cfec1a
cfec1a
Legacy support enablement
cfec1a
=========================
cfec1a
cfec1a
The OpenSSL now supports /etc/pki/tls/legacy-settings configuration file
cfec1a
which can be created by the system administrator which contains lines with
cfec1a
simple Key Value pairs.
cfec1a
cfec1a
The library recognizes the following possible configuration settings in
cfec1a
that file:
cfec1a
cfec1a
LegacySigningMDs md2 md5
cfec1a
MinimumDHBits 512
cfec1a
cfec1a
The LegacySigningMDs option allows reenabling support for verification of
cfec1a
signatures with the specified hash algorithms. These can be any combination
cfec1a
of md2, md4, md5 and sha. (sha represents SHA0 algorithm, not SHA1.) Any
cfec1a
unrecognized algorithms are ignored.
cfec1a
cfec1a
The MinimumDHBits option allows setting of the minimum bit size of DH group
cfec1a
accepted by SSL/TLS client. It can be any value between 512 and 10000.
cfec1a
cfec1a
If the configuration file is not present the built-in defaults (that is the
cfec1a
secure defaults) are used. Any unrecognized lines (with other parameter
cfec1a
names or comments) are ignored.