chore(changelog): breaking change for OpenSSL key width

Kong · Feb 5, 2024 · b584dee · b584dee
1 parent c190632
commit b584dee
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/changelog/3.6.0/3.6.0.md b/changelog/3.6.0/3.6.0.md
@@ -37,6 +37,16 @@
 - **BREAKING:** To avoid ambiguity with other Wasm-related nginx.conf directives, the prefix for Wasm `shm_kv` nginx.conf directives was changed from `nginx_wasm_shm_` to `nginx_wasm_shm_kv_`
  [#11919](https://github.com/Kong/kong/issues/11919)
  [KAG-2355](https://konghq.atlassian.net/browse/KAG-2355)
+
+- In OpenSSL 3.2, the default SSL/TLS security level has been changed from 1 to 2.
+  Which means security level set to 112 bits of security. As a result
+  RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than
+  224 bits are prohibited. In addition to the level 1 exclusions any cipher
+  suite using RC4 is also prohibited. SSL version 3 is also not allowed.
+  Compression is disabled.
+  [#7714](https://github.com/Kong/kong/issues/7714)
+  [KAG-3459](https://konghq.atlassian.net/browse/KAG-3459)
+
 #### Plugin
 
 - **azure-functions**: azure-functions plugin now eliminates upstream/request URI and only use `routeprefix` configuration field to construct request path when requesting Azure API

diff --git a/changelog/3.6.0/kong/bump_openssl_from_3_1_4_to_3_2_0.yml b/changelog/3.6.0/kong/bump_openssl_from_3_1_4_to_3_2_0.yml
@@ -0,0 +1,8 @@
+message: >-
+  In OpenSSL 3.2, the default SSL/TLS security level has been changed from 1 to 2.
+  Which means security level set to 112 bits of security. As a result
+  RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than
+  224 bits are prohibited. In addition to the level 1 exclusions any cipher
+  suite using RC4 is also prohibited. SSL version 3 is also not allowed.
+  Compression is disabled.
+type: breaking_change