Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Richard W.M. Jones <rjones@xxxxxxxxxx> wrote:


On Mon, Jun 27, 2022 at 09:11:29AM +0100, Tom Hughes wrote:

On 27/06/2022 08:53, Richard W.M. Jones wrote:

On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote:

Dear Richard,
If the only problem is legacy (and unsafe) ciphersuites, loading the legacy 
provider will solve this problem.


Any clues on how to do that?


https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers


Results unclear.  Loading legacy + default doesn't seem to give any
errors, but I still see the same errors in the tests.  I might be
loading these providers in the wrong way however.

The code is here:
https://github.com/rwmjones/cpython/commits/python-2.7-openssl-3


Two comments:

Most of your failures are "no suitable signature algorithm” and “no shared
ciphers”. I suspect those might instead be caused by increased minimum TLS
versions enforced by the crypto-policy. Did you try running those tests in
the LEGACY crypto-policy? If that’s the issue, you don’t need to load the
legacy provider, and doing so doesn’t actually help.

I know the OpenSSL upstream documentation says so, but please don’t load the
legacy provider into the NULL OSSL_LIB_CTX. Doing so activates the legacy
provider for all code in the same address space by default. This means, for
example, that applications that embed a Python interpreter will inherit its
use of the legacy provider, even if they don’t want to. See [1] for further
discussion of this issue, and examples on how to avoid it.

 [1] https://github.com/lsh123/xmlsec/issues/339


HTH,
Clemens

--
Clemens Lang
RHEL Crypto Team
Red Hat


_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux