Re: F29 System Wide Change: Strong crypto settings: phase 2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jun 01, 2018 at 10:25:42AM -0500, mcatanzaro@xxxxxxxxx wrote:
> On Fri, Jun 1, 2018 at 8:06 AM, Daniel P. Berrangé <berrange@xxxxxxxxxx>
> wrote:
> > What is the availibility of TLS 1.2 vs 1.1/1.0 on the internet ?
> > ie how likely is this to break the ability of users to access websites
> > they care about ?
> 
> Yeah... this has been discussed on this list before. If this change is made,
> then we will need to drop our glib-networking patch that causes
> glib-networking to respect Fedora's system crypto policy, since we simply
> cannot afford to be more restrictive than major browsers. I believe the
> system crypto policy developers should consider how this is really intended
> to work, because there's no point in having a system policy if software
> stops using it.
> 
> It could be doable if glib-networking was able to specify a priority string
> like @SYSTEMLEGACY insetad of just @SYSTEM, but the current design of the
> system crypto  policy prevents applications from choosing between the three
> policies.

IIUC,  glib-networking uses GNUTLS. If so, a while ago I added ability to
specify an ordered list of named priority aliases to GNUTLS that might handle
the kind of scenario you describe.

  https://www.berrange.com/posts/2016/11/15/new-tls-algorithm-priority-config-for-libvirt-with-gnutls-on-fedora-25/
  
eg in libvirt we now use the string  "@LIBVIRT,SYSTEM" in Fedora builds which
tells GNUTLS to find the policy "LIBVIRT" and if that is not present, fall
back to the "SYSTEM" policy.

We do this so libvirt respects system policy by default, but admins can
then set an alternative system wide policy for libvirt connections that
uses something stricter (or weaker), without affecting TLS usage for
non-libvirt connections. We've done the same for QEMU which "@QEMU,SYSTEM"
as its default policy now, for VNC and its other TLS services.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/EXNUSAZ4VQTKDUDTX7DOYVO3ZLLK2ML6/




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux