On Fri, Aug 27, 2021 at 6:28 PM przemek klosowski via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > On 8/25/21 4:54 AM, Alexander Sosedkin wrote: > > It's not ideal if one obsolete website forces downgrading the security > potentially for all the connections. I hope 5) is addressing that. > > That's something apps and only apps can handle. > > Well, but if the system policy says that TLS1.0 is banned, the only way for the app to downgrade would be if it had its own TLS stack, right? The right way is to make the library provide an API that overrides these defaults, and the application to call that API when it's confident it should deviate from the distribution defaults. The current way is that some libraries allow such overriding and some don't. > I do realize that the current policy mechanism is not designed for narrow deviations, I am just pointing out that it's not ideal because in practice people downgrade because they need narrow deviations for specific connections, and as you well know, relaxing the rules for all connections opens the door to downgrade attacks even on the connections that are capable of TLS2.0. > > I am asking if there is another way, for instance by having a per-interface policies, and setting up the relaxed rules for an interface that routes traffic to this one deficient remote endpoint. It'd be very interesting, hard, and abstraction-permeating to make crypto library configuration depend on endpoints or interfaces, but this is definitely something that should start from within either apps or crypto libraries themselves. crypto-policies is the furthermost component away from things like interfaces and endpoints. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
