Re: crypto policies for F21 without SSL 3.0?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 20 November 2014 09:46:00 Nikos Mavrogiannopoulos wrote:
> On Wed, 2014-11-19 at 11:29 -0500, Julien Vehent wrote:
> > On 2014-11-19 09:58, Nikos Mavrogiannopoulos wrote:
> > > With that in mind, does it make sense to update the policies to
> > > remove
> > > SSL 3.0, or should we wait until F22?
> > 
> > In Mozilla's infrastructure, our recommendation is to disable SSLv3 by
> > default everywhere, and only enable it when the service explicitly needs
> > backward compatibility with very old clients.
> 
> I understand, but please read the rest of my mail. The issue here is
> that we cannot via system-wide crypto policies disable SSLv3 in NSS (not
> until [0] is included to NSS), and openssl as well because it provides
> no cipher string to achieve that goal. So the question is does it matter
> to disable SSLv3 from the global settings, if that would only affect
> gnutls tools, which is a minority in Fedora?

Aren't there other parts of the policies which are not enforced? I mean 
signature algorithms on certificates and in TLS1.2 (EC)DHE key exchange? Key 
sizes?

We probably should document which parts and with which libraries are actually 
enforced, but the actual policy should state the desired outcome (in this 
case: SSLv3 disabled).

-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux