Package: openssl Version: 3.0.2-1 The openssl.cnf contains an entry for openssl_conf since #12333 [1].
The attached patch-file should work but I haven't tested it yet. [1] https://github.com/openssl/openssl/pull/12333
From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Date: Tue, 20 Mar 2018 22:07:30 +0100 Subject: Set systemwide default settings for libssl users This config change enforeces a TLS1.2 protocol version as minimum. It can be overwritten by the system administrator. It also changes the default security level from 1 to 2, moving from the 80 bit security level to the 112 bit security level. Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> --- apps/openssl.cnf | 13 +++++++++++++ 1 file changed, 13 insertions(+) --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -52,6 +52,7 @@ [openssl_init] providers = provider_sect +ssl_conf = ssl_sect # List of providers to load [provider_sect] @@ -388,3 +389,10 @@ # Certificate revocation cmd = rr oldcert = $insta::certout # insta.cert.pem + +[ssl_sect] +system_default = system_default_sect + +[system_default_sect] +MinProtocol = TLSv1.2 +CipherString = DEFAULT@SECLEVEL=2
smime.p7s
Description: S/MIME cryptographic signature
