Ubuntu 20.04 - how to set lower SSL security level?
You don't have your config changes quite right. You need to add this to the beginning of your config file:
openssl_conf = default_conf
And then this to the end:
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT:@SECLEVEL=1
Note that if you prefer you can make changes to a local copy of the config file, and then ensure your process is started with the environment variable OPENSSL_CONF
defined to point at the location of your config file:
export OPENSSL_CONF=/path/to/my/openssl.cnf
This way you can make changes without having to impact your entire system.
Note: To find the system's openssl.cnf file, run the following:
% openssl version -d
the run ls -l
on the directory outputted to see where the openssl.cnf
file is via its symlink in that directory as needed.
The two solutions above were confusing for me.
You just need two blocks of modifications in /usr/lib/ssl/openssl.cnf as documented with this diff:
rcsdiff ./openssl.cnf
===================================================================
RCS file: ./openssl.cnf,v
retrieving revision 1.1
diff -r1.1 ./openssl.cnf
13a14,15
> openssl_conf = default_conf
>
350a353,362
>
> [default_conf]
> ssl_conf = ssl_sect
>
> [ssl_sect]
> system_default = system_default_sect
>
> [system_default_sect]
> MinProtocol = TLSv1.2
> CipherString = DEFAULT@SECLEVEL=1
For cut&paste:
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1