On Fri, Dec 6, 2019 at 9:04 am, Igor Gnatenko
<ignatenkobrain@xxxxxxxxxxxxxxxxx> wrote:
So my question would be: Should I patch rust-openssl to use
PROFILE=DEFAULT or I should just remove that call entirely? It is not
very clear to me from the guidelines.
That wouldn't be correct. It needs to use PROFILE=SYSTEM (Fedora system
policy), not PROFILE=DEFAULT (upstream default policy).
Two options:
* You can simply patch out the call to ctx.set_cipher_list()
(potentially-upstreamable solution)
* You can change the whole string from
"DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK"
to "SYSTEM" (probably slightly clearer for a downstream patch)
Also since I want to get this
upstream, which option is more portable?
I suspect the only portable option would be to delete the call. I
suspect you cannot use SYSTEM policy except on Fedora/RHEL; it probably
doesn't exist elsewhere and won't work. I haven't checked to be certain
for OpenSSL, but that's definitely the case for GnuTLS and it's likely
the same. Accordingly, the change is not suitable for upstream unless
upstream is OK with dropping the manual cipher list, so you'll probably
need to keep this downstream indefinitely.
I think it would be nice for Fedora crypto policy to be adjusted so as
to be suitable for upstream applications, so we don't have to patch
applications forever to comply, but this was a deliberate design choice.
Michael
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
