Re-Enable TLS 1.0 for OpenSSL-based Clients on Debian Buster

OpenSSL shipped with Debian 10 „Buster“ disables TLS protocol versions below 1.2. The web-browsers Chromium and Firefox ship with an embedded SSL implementation and are not affected (they will issue warnings about legacy websites), but it can cause problems with curl, Squid and other clients that are linked against the OpenSSL.

To re-enable TLS version 1.0 for OpenSSL, change /etc/ssl/openssl.cnf as follows :

# MinProtocol = TLSv1.2
MinProtocol = TLSv1.0

It might be preferable to not change the system-wide setting. Programs linked to OpenSSL respect the value of environemnt variable OPENSSL_CONF pointing to the location of a dedicated configfile (unless they are setuid or setgid executables):

OPENSSL_CONF=/etc/ssl/openssl.curl.cnf \