Re: System-wide crypto policy transition tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jan 6, 2015 at 9:20 AM, Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx> wrote:
Hello, I've created a transition tracker to system-wide crypto policy at: https://bugzilla.redhat.com/show_bug.cgi?id=1179209 Currently it contains bugs filled against openssl and gnutls applications in Fedora. If you use some application which utilizes SSL/TLS and isn't included in the tracker feel free to request it use the policy, and include a link to the bug report in the tracker.

Hi,

This looks like a big improvement. I have a few questions about what to expect @SYSTEM to include in F22:

* Will the system priority string include %COMPAT?
* Will it include %LATEST_RECORD_VERSION? (WebKitGTK+ has been using this at your suggestion, since servers started blocking SSLv3 record versions.)
* Given that GnuTLS 3.4 seems unlikely to be stable before F22, will it include !VERS-SSL3.0?
* And what about !ARCFOUR-128?

Now a hypothetical: say some new attack is published and some new set of ciphersuites is considered weak. Can applications trust that the system-provided string will always be secure (or represent a reasonable security-compatibility trade-off)? Of course that might depend on the severity of the attack, so more specifically: if POODLE were to be discovered one month after F22 is released, would @SYSTEM be immediately updated to include !VERS-SSL3.0, or would a change like that be delayed until the next Fedora release? If the change was delayed, would application-specific patches to change the default priority string be permitted?

Lastly, one criticism: I'm really unsure why any of this is being treated as Fedora-specific. Other distributions should benefit from this work as well. In particular, an upstream application developer needs some way to specify "secure defaults please and thank you" and it looks like gnutls_set_default_priority() will be the way to get that on Fedora. But upstream projects would be amiss to use the default priority, which is a shame. I'd really like for upstream projects to not have to worry about the priority string unless they choose to.

Thanks,

Michael
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux