On Tue, 2015-01-06 at 12:16 -0500, Christopher wrote: > Are there any guidelines for enforcing crypto policies in Java > applications. > Primarily, I was thinking about those Java applications that use JSSE > system properties or similar user-driven configuration to specify > keystores. Are those affected by this crypto policy at all? Not yet. I haven't started a process on that, as I'd like to have time to spend on the successful deployment on openssl, gnutls and hopefully nss. However, maybe we don't need to do everything in a serialized way. If you are interested in that, may I suggest to fill feature request with the relevant java packages shipped in fedora? I've put a tracker of the crypto policies applicability at: https://fedoraproject.org/wiki/User:Nmav/FedoraCryptoPolicies > Also, what about situations where SSL/TLS is off by default in the > application, but is an available as an optional feature, if the user > configures it? Since users are obliged to configure it, it seems > there's not much for a packager to do in those situations, because > that depends on the user's configuration, right? I'm not sure I understand the question. Let's see wget. wget http://www.amazon.com ----> no ssl wget https://www.amazon.com ----> ssl with system wide policies wget --secure-protocol=TLSv1 -----> application/user specific policy That is the default policies should be used if the user simply asks for SSL/TLS without being more specific. regards, Nikos -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
