On Thursday, 4 April 2019 23:06:07 CEST Frank Ueberschar wrote: > Here > https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ > is a proposal to use a specific cipher list string for > SSL_CTX_set_cipher_list(): "PROFILE=SYSTEM". > > Especially this citation: "if that call is present and provided a fixed > string which does not contain PSK or SRP, replace the string with > "PROFILE=SYSTEM", or remove the call" > > We have to rely on PSK. What ist the reason behind the above advice? > > Thanks, Frank more or less what David said. PSK and SRP are very specific use cases, ones that don't work in open Internet and require close cooperation and communication between server administrator and user. Crypto Policies target common use cases with typical configurations (i.e. X.509 certificate authentication). -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ security mailing list -- security@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to security-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/security@xxxxxxxxxxxxxxxxxxxxxxx
