[openssl] OpenSSL_1_1_1-stable update

kaduk at mit.edu kaduk at mit.edu
Mon Jul 20 19:39:46 UTC 2020

The branch OpenSSL_1_1_1-stable has been updated
       via  335266fa793c105e5e38cbaf098542cc372cdc2e (commit)
      from  a47dd08d6cacc64536c2f57e0f0aee03dcfaab3d (commit)

- Log -----------------------------------------------------------------
commit 335266fa793c105e5e38cbaf098542cc372cdc2e
Author: Dimitri John Ledkov <xnox at ubuntu.com>
Date:   Tue Jul 14 17:55:49 2020 +0100

    man3: Drop warning about using security levels higher than 1.
    Today, majority of web-browsers reject communication as allowed by the
    security level 1. Instead key sizes and algorithms from security level
    2 are required. Thus remove the now obsolete warning against using
    security levels higher than 1. For example Ubuntu, compiles OpenSSL
    with security level set to 2, and further restricts algorithm versions
    available at that security level.
    Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    (Merged from https://github.com/openssl/openssl/pull/12444)
    (cherry picked from commit 02e14a65fd6cc63204b43a79d510e95a63bdd901)


Summary of changes:
 doc/man3/SSL_CTX_set_security_level.pod | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod
index 0cb6c1f52a..ba0aa0b9ca 100644
--- a/doc/man3/SSL_CTX_set_security_level.pod
+++ b/doc/man3/SSL_CTX_set_security_level.pod
@@ -114,12 +114,6 @@ I<Documentation to be provided.>
 =head1 NOTES
-B<WARNING> at this time setting the security level higher than 1 for
-general internet use is likely to cause B<considerable> interoperability
-issues and is not recommended. This is because the B<SHA1> algorithm
-is very widely used in certificates and will be rejected at levels
-higher than 1 because it only offers 80 bits of security.
 The default security level can be configured when OpenSSL is compiled by
 setting B<-DOPENSSL_TLS_SECURITY_LEVEL=level>. If not set then 1 is used.

More information about the openssl-commits mailing list