Hi,
Richard W.M. Jones <rjones@xxxxxxxxxx> wrote:
On Mon, Jun 27, 2022 at 09:11:29AM +0100, Tom Hughes wrote:
On 27/06/2022 08:53, Richard W.M. Jones wrote:
On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote:
Dear Richard,
If the only problem is legacy (and unsafe) ciphersuites, loading the
legacy
provider will solve this problem.
Any clues on how to do that?
https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers
Results unclear. Loading legacy + default doesn't seem to give any
errors, but I still see the same errors in the tests. I might be
loading these providers in the wrong way however.
The code is here:
https://github.com/rwmjones/cpython/commits/python-2.7-openssl-3
Two comments:
Most of your failures are "no suitable signature algorithm” and “no shared
ciphers”. I suspect those might instead be caused by increased minimum TLS
versions enforced by the crypto-policy. Did you try running those tests in
the LEGACY crypto-policy? If that’s the issue, you don’t need to load the
legacy provider, and doing so doesn’t actually help.
I know the OpenSSL upstream documentation says so, but please don’t load the
legacy provider into the NULL OSSL_LIB_CTX. Doing so activates the legacy
provider for all code in the same address space by default. This means, for
example, that applications that embed a Python interpreter will inherit its
use of the legacy provider, even if they don’t want to. See [1] for further
discussion of this issue, and examples on how to avoid it.
[1] https://github.com/lsh123/xmlsec/issues/339
HTH,
Clemens
--
Clemens Lang
RHEL Crypto Team
Red Hat
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure