Re: F37 Proposal: Strong crypto settings: phase 3, forewarning 1/2 (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,


On Fri, 2022-04-29 at 17:49 -0400, Ben Cotton wrote:

Changes like this have been very disruptive in the past because they
haven't been completely thought through.

Can we please make 100% sure these policies are not going to break
things like VPN clients in the way that we have before.


This is the reason why the proposal contains extensive methods to test
whether things are going to break by modifying the crypto-policy or using
bpftrace. Unfortunately there are hundreds of packages that depend on
cryptographic libraries, and millions of different configurations out there.
We can’t know ahead of time which ones of them are going to break, but the
proposal provides tools and a long transition period to identify and fix
them.



Dan Čermák <dan.cermak@xxxxxxxxxxxxxxxxxxx> wrote:

They are going to break things, but Ubuntu 22.04 deprecated SHA1
signatures already, so it's very likely that a good chunk of the fallout
will be cleared by the time Fedora 38 and 39 ship.


This isn’t going to help our cause, but this isn’t correct from what I can
see. The Ubuntu 22.04 release notes [1] say:

"In particular, certificates using SHA1 or MD5 as hash algorithms are now
invalid under the default security level.”

Note that this only affects *certificates*, while our changes affect *all
signatures made with SHA1*, not just those in certificates.

I’ve also checked the published source package for Ubuntu, and it seems they
are just setting SECLEVEL to 2 plus raising the default TLS version to 1.2
when SECLEVEL is 2.

In conclusion: Ubuntu isn’t ahead of us here.

 [1]: https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668


--
Clemens Lang
RHEL Crypto Team
Red Hat


_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux