Re: fedora28 and strong crypto settings

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2018-02-26 at 10:26 -0600, mcatanzaro@xxxxxxxxx wrote:
> On Mon, Feb 26, 2018 at 9:37 AM, Nikos Mavrogiannopoulos 
> <nmav@xxxxxxxxxx> wrote:
> > regarding the strong crypto change in Fedora28 [0], we have
> > identified
> > few (usually internal) sites which break under firefox or other
> > tools.
> > The main reason for this breakage is that these sites only support
> > Diffie-Hellman with 1024-bit parameters which are considered too
> > weak
> > by this change.
> 
> Setting up a unified distro-wide crypto policy was a Good Thing, but
> we 
> have to use it responsibly. Unfortunately, I don't think it's
> practical 
> for Fedora to increase the minimum required Diffie-Hellman parameter 
> size to 2048 until either Firefox or Chrome has done so first. Users 
> are just going to object that they can't use Fedora to access
> various 
> important websites, and those important websites will never be fixed
> so 
> long as they're only broken for Fedora users. We should consider 
> ourselves at the mercy of the major browser vendors to implement new 
> restrictions before we do. It's a shame that major browsers are so 
> unwilling to break websites, even when it's clearly important for 
> security, but that's the world we live in. :/
> 
> Alternatively, if you want to strengthen the system crypto policy,
> then 
> it should not apply to web browsers at all. Or web browsers should 
> automatically use the weak policy. (We'd need the weak policy in 
> glib-networking, too.)

I agree we need to have the DEFAULT policy be applicable to all
applications, browsers and not (otherwise we end up in reports like
curl and wget don't work while firefox does). It is important though to
gather all data we can from the user reports before reverting, in order
to better understand why that doesn't work, which apps are affected and
better predict when we can make it work.

>From the current reports, I believe we have two classes of systems
which cause a problem. (1) systems with implementations which don't
support elliptic curves (that may be rhel5, centos5), and the
administrator set up 1024-bit DH parameters, (2) cisco VPN servers
which are configured to use 1024-bit DH parameters.

regards,
Nikos
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux