On Mon, Feb 26, 2018 at 9:37 AM, Nikos Mavrogiannopoulos
<nmav@xxxxxxxxxx> wrote:
regarding the strong crypto change in Fedora28 [0], we have identified
few (usually internal) sites which break under firefox or other tools.
The main reason for this breakage is that these sites only support
Diffie-Hellman with 1024-bit parameters which are considered too weak
by this change.
Setting up a unified distro-wide crypto policy was a Good Thing, but we
have to use it responsibly. Unfortunately, I don't think it's practical
for Fedora to increase the minimum required Diffie-Hellman parameter
size to 2048 until either Firefox or Chrome has done so first. Users
are just going to object that they can't use Fedora to access various
important websites, and those important websites will never be fixed so
long as they're only broken for Fedora users. We should consider
ourselves at the mercy of the major browser vendors to implement new
restrictions before we do. It's a shame that major browsers are so
unwilling to break websites, even when it's clearly important for
security, but that's the world we live in. :/
Alternatively, if you want to strengthen the system crypto policy, then
it should not apply to web browsers at all. Or web browsers should
automatically use the weak policy. (We'd need the weak policy in
glib-networking, too.)
Michael
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
