On Mon, 2015-02-09 at 15:10 +0000, Daniel P. Berrange wrote: > There have been many bugs filed against apps using crypto libraries to > update them to use the system crypto policy by default. I'm currently > looking at how to address the one filed against GTK-VNC > > https://bugzilla.redhat.com/show_bug.cgi?id=1179301 > > The current GTK-VNC code sets the priority conditionally depending on > wht VNC auth mech chosen earlier: > > gnutls_priority_set_direct(priv->tls_session, > anonDH ? "NORMAL" : "NORMAL:+ANON-DH", > NULL) > > So I can't just use gnutls_set_default_priority(), unless there's a way > to ask for "+ANON-DH" separately afterwards ? > At first I thought I could just replace "NORMAL" with "@SYSTEM". Looking > at the GNUTLS upstream code though, the "@SYSTEM" string is only ever > defined in the external crypto policy file and GNUTLS does not appear to > install any such file by default. So I can't use "@SYSTEM" unconditionally > when building against newer gnutls versions, as I can't rely on it existing > even ifi gnutls is new enough. The @SYSTEM keyword for gnutls is available in Fedora systems. It is made available by gnutls and crypto-policies in fedora. You can test it in F21 by "gnutls-cli --priority @SYSTEM --list". However, if you don't want to depend on it, you could do something like: if (!anonDH) set_default_priority() else set_direct("NORMAL:+ANON-DH"); (most probably you need to add +ANON-ECDH as well). Using anonymous diffie hellman is already something not allowed by the policy, so in that case it wouldn't matter much how hard you try to stick with it. regards, Nikos -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
