There have been many bugs filed against apps using crypto libraries to update them to use the system crypto policy by default. I'm currently looking at how to address the one filed against GTK-VNC https://bugzilla.redhat.com/show_bug.cgi?id=1179301 The current GTK-VNC code sets the priority conditionally depending on wht VNC auth mech chosen earlier: gnutls_priority_set_direct(priv->tls_session, anonDH ? "NORMAL" : "NORMAL:+ANON-DH", NULL) So I can't just use gnutls_set_default_priority(), unless there's a way to ask for "+ANON-DH" separately afterwards ? At first I thought I could just replace "NORMAL" with "@SYSTEM". Looking at the GNUTLS upstream code though, the "@SYSTEM" string is only ever defined in the external crypto policy file and GNUTLS does not appear to install any such file by default. So I can't use "@SYSTEM" unconditionally when building against newer gnutls versions, as I can't rely on it existing even ifi gnutls is new enough. So it seems like either these crypto policy changes require apps to carry Fedora/RHEL specific patches, or to pass in the default crypto policy name as a configure arg perhaps & rely on distro maintainers to set it when needed (eg ./configure --crypto-policy=@SYSTEM). Anyone have any better suggestions for cleanly supporting the new system crypto policies in upstream apps while maintaining compat across distros and old gnutls versions, assunming gnutls_set_default_priority is out of the question? Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
