On Sun, Aug 22, 2021 at 11:00 PM Chris Adams <linux@xxxxxxxxxxx> wrote: > > Once upon a time, Dan Čermák <dan.cermak@xxxxxxxxxxxxxxxxxxx> said: > > #2659 Arbitration request: Crypto policy prevents VPN connections > > https://pagure.io/fesco/issue/2659 > > VPN requirements are a problem for increasing the encryption strength. > I have to connect to Cisco Meraki VPNs for work, and Libreswan has > disabled the necessary level of encryption. strongSwan still supports > them, so I use that instead (which, the NetworkManager plugins appear to > default to libreswan if it is installed, so I have to make sure it is > not). > > Even websites have problems; I went back and forth with another major > network equipment vendor because their support site HTTPS was only > supporting weaker methods. In the end, the only solution with Fedora > was to just use Google Chrome (which doesn't follow the system-wide > policy). I have to access that site for my job. > > It's unfortunate, but I must use VPNs and some websites. Fedora needs > to continue to support the older/weaker encryption methods in some form, > ideally via an opt-out mechanism for the system-wide crypto policies, or > allowing browsers to offer weaker methods with a warning or something. Sure. Crypto-policies are there to give you control of what's enabled, ideally what's enabled by default. 1) There's a blanket `update-crypto-policies --set LEGACY` 2) There's a possibility to reenable disabled algorithms with custom policies, allowing to go even lower than LEGACY (which you shouldn't really do on public networks, but who's there to stop you) 3) (F35+) There's a possibility to reenable algorithms per backends, say, for NSS, Java or krb5 only 4) (In an ideal world) crypto-policies settings should act as defaults, meaning apps should be able to further modify them, offer weaker methods with a warning, etc 5) There are total per-backend opt-out mechanisms / procedures 4 is what broke it here (gnutls currently uses hard-denylisting), but, in general, you still have all the other ways. They aren't something we can recommend to all openconnect users, but we've compromised on not-hard-disabling DTLS 0.9 specifically until we fix 4 more thoroughly. If an administrator of the specific host wants to modify or bypass crypto-policies, it's entirely within their power to do so and nobody intends (or is able to, for that matters) hinder that. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
