Re: crypto policies for F21 without SSL 3.0?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2014-11-20 at 13:39 +0100, Hubert Kario wrote:

> > > > With that in mind, does it make sense to update the policies to
> > > > remove
> > > > SSL 3.0, or should we wait until F22?
> > > 
> > > In Mozilla's infrastructure, our recommendation is to disable SSLv3 by
> > > default everywhere, and only enable it when the service explicitly needs
> > > backward compatibility with very old clients.
> > 
> > I understand, but please read the rest of my mail. The issue here is
> > that we cannot via system-wide crypto policies disable SSLv3 in NSS (not
> > until [0] is included to NSS), and openssl as well because it provides
> > no cipher string to achieve that goal. So the question is does it matter
> > to disable SSLv3 from the global settings, if that would only affect
> > gnutls tools, which is a minority in Fedora?
> 
> Aren't there other parts of the policies which are not enforced? I mean 
> signature algorithms on certificates and in TLS1.2 (EC)DHE key exchange? Key 
> sizes?
> 
> We probably should document which parts and with which libraries are actually 
> enforced, but the actual policy should state the desired outcome (in this 
> case: SSLv3 disabled).

I tend to agree, could you or Eric fill a bug report against
crypto-policy. As we are pretty late on time it will have to be accepted
as blocker.

regards,
Nikos


--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux