https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/#_cc_applications says that I need to patch application (if it does not have config file) to use "PROFILE=SYSTEM" as the argument to the cipher list. However, when I was looking into the library which uses this function (rust-openssl), I found following piece of code: /// Creates a new builder for TLS connections. /// /// The default configuration is subject to change, and is currently derived from Python. pub fn builder(method: SslMethod) -> Result<SslConnectorBuilder, ErrorStack> { let mut ctx = ctx(method)?; ctx.set_default_verify_paths()?; ctx.set_cipher_list( "DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK", )?; setup_verify(&mut ctx); Ok(SslConnectorBuilder(ctx)) } https://github.com/sfackler/rust-openssl/blob/9ba802ad437447ac71f99d89653b35072bf5ccd9/openssl/src/ssl/connector.rs#L62-L74 Then I looked at CPython and found that it does this: /* Ignored in SSLContext constructor, only used to as _ssl.DEFAULT_CIPHER_STRING */ #define PY_SSL_DEFAULT_CIPHER_STRING SSL_DEFAULT_CIPHER_LIST And then it just ignores call to SSL_CTX_set_cipher_list(). So my question would be: Should I patch rust-openssl to use PROFILE=DEFAULT or I should just remove that call entirely? It is not very clear to me from the guidelines. Also since I want to get this upstream, which option is more portable? _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
