Blame SOURCES/README.legacy-settings

fd2893
Guide for legacy support enablement
fd2893
===================================
fd2893
fd2893
To improve security provided by use of OpenSSL especially in context of
fd2893
TLS connections we regularly review and deprecate algorithms and algorithm
fd2893
settings which are no longer viewed as secure.
fd2893
fd2893
For some of these deprecated algorithms we provide a way for the
fd2893
system administrator to reenable them.
fd2893
fd2893
Deprecated algorithms, protocols and settings in OpenSSL
fd2893
========================================================
fd2893
fd2893
Previous Red Hat Enterprise Linux 7 update releases:
fd2893
fd2893
* SSL2 protocol disabled by default.
fd2893
* Minimum DH group size accepted by SSL/TLS client 768 bits.
fd2893
* Verification of certificates and signatures using MD5 hash
fd2893
  disabled.
fd2893
fd2893
Red Hat Enterprise Linux 7.4:
fd2893
fd2893
* SSL2 protocol support completely disabled (cannot be re-enabled).
fd2893
* All SSL/TLS export ciphers disabled.
fd2893
* All SSL/TLS ciphersuites with keys smaller than 128 bits disabled.
fd2893
* Minimum DH group size accepted by SSL/TLS client 1024 bits.
fd2893
* Disabled support for verification of certificates and signatures
fd2893
  using MD2, MD4, MD5, and SHA0 hashes.
fd2893
fd2893
Legacy support enablement
fd2893
=========================
fd2893
fd2893
The OpenSSL now supports /etc/pki/tls/legacy-settings configuration file
fd2893
which can be created by the system administrator which contains lines with
fd2893
simple Key Value pairs.
fd2893
fd2893
The library recognizes the following possible configuration settings in
fd2893
that file:
fd2893
fd2893
LegacySigningMDs md2 md5
fd2893
MinimumDHBits 512
fd2893
fd2893
The LegacySigningMDs option allows reenabling support for verification of
fd2893
signatures with the specified hash algorithms. These can be any combination
fd2893
of md2, md4, md5 and sha. (sha represents SHA0 algorithm, not SHA1.) Any
fd2893
unrecognized algorithms are ignored.
fd2893
fd2893
The MinimumDHBits option allows setting of the minimum bit size of DH group
fd2893
accepted by SSL/TLS client. It can be any value between 512 and 10000.
fd2893
fd2893
If the configuration file is not present the built-in defaults (that is the
fd2893
secure defaults) are used. Any unrecognized lines (with other parameter
fd2893
names or comments) are ignored.