On Fri, Jun 01, 2018 at 10:25:42AM -0500, mcatanzaro@xxxxxxxxx wrote: > On Fri, Jun 1, 2018 at 8:06 AM, Daniel P. Berrangé <berrange@xxxxxxxxxx> > wrote: > > What is the availibility of TLS 1.2 vs 1.1/1.0 on the internet ? > > ie how likely is this to break the ability of users to access websites > > they care about ? > > Yeah... this has been discussed on this list before. If this change is made, > then we will need to drop our glib-networking patch that causes > glib-networking to respect Fedora's system crypto policy, since we simply > cannot afford to be more restrictive than major browsers. I believe the > system crypto policy developers should consider how this is really intended > to work, because there's no point in having a system policy if software > stops using it. > > It could be doable if glib-networking was able to specify a priority string > like @SYSTEMLEGACY insetad of just @SYSTEM, but the current design of the > system crypto policy prevents applications from choosing between the three > policies. IIUC, glib-networking uses GNUTLS. If so, a while ago I added ability to specify an ordered list of named priority aliases to GNUTLS that might handle the kind of scenario you describe. https://www.berrange.com/posts/2016/11/15/new-tls-algorithm-priority-config-for-libvirt-with-gnutls-on-fedora-25/ eg in libvirt we now use the string "@LIBVIRT,SYSTEM" in Fedora builds which tells GNUTLS to find the policy "LIBVIRT" and if that is not present, fall back to the "SYSTEM" policy. We do this so libvirt respects system policy by default, but admins can then set an alternative system wide policy for libvirt connections that uses something stricter (or weaker), without affecting TLS usage for non-libvirt connections. We've done the same for QEMU which "@QEMU,SYSTEM" as its default policy now, for VNC and its other TLS services. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/EXNUSAZ4VQTKDUDTX7DOYVO3ZLLK2ML6/
