From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Tue, 20 Mar 2018 22:07:30 +0100
Subject: [PATCH] Set systemwide default settings for libssl users

This config change enforeces a TLS1.2 protocol version as minimum. It
can be overwritten by the system administrator.

It also changes the default security level from 1 to 2, moving from the 80 bit
security level to the 112 bit security level.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Imported from openssl_1.1.1d-1.debian.tar.xz

Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
---
 apps/openssl.cnf | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 4acca4b0446f..a6fed92a2e75 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -15,6 +15,9 @@ HOME			= .
 #oid_file		= $ENV::HOME/.oid
 oid_section		= new_oids
 
+# System default
+openssl_conf = default_conf
+
 # To use this configuration file with the "-extfile" option of the
 # "openssl x509" utility, name here the section containing the
 # X.509v3 extensions to use:
@@ -348,3 +351,12 @@ ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 				# (optional, default: no)
 ess_cert_id_alg		= sha1	# algorithm to compute certificate
 				# identifier (optional, default: sha1)
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+MinProtocol = TLSv1.2
+CipherString = DEFAULT@SECLEVEL=2