Comment 33 for bug 1841936
Revision history for this message
| Christian Ehrhardt (paelzer) wrote | #33 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
7020100
(Get the code!)
Prior to Update:
E: DH group offered: RFC5114/2048-bit DSA group with 224-bit prime order subgroup (2048 bits)
D: DH group offered: RFC5114/2048-bit DSA group with 224-bit prime order subgroup (2048 bits)
B: DH group offered: HAProxy (1024 bits)
=> D+E on wrong defaults!
With tuning to specific key (2048):
tune.ssl.
E: DH group offered: RFC5114/2048-bit DSA group with 224-bit prime order subgroup (2048 bits)
D: DH group offered: RFC5114/2048-bit DSA group with 224-bit prime order subgroup (2048 bits)
B: DH group offered: HAProxy (2048 bits)
=> E+D ignore the config!
## Post Update ##
E: DH group offered: HAProxy (1024 bits)
D: DH group offered: HAProxy (1024 bits)
B: DH group offered: HAProxy (1024 bits)
=> E+D back on the expected default
=> B not broken by rebuild
With tuning to specific key (2048):
tune.ssl.
E: DH group offered: HAProxy (2048 bits)
D: DH group offered: HAProxy (2048 bits)
B: DH group offered: HAProxy (2048 bits)
=> E+D: Config now works
=> B not broken by rebuild
Also on Bionic now (for the initial TLSv1.3 request):
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
...
Thanks to David for the extended test with a real configuration!
Marking this verified