[Bug 2182151] Review Request: ktls-utils - TLS Handshake agent for kernel sockets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.redhat.com/show_bug.cgi?id=2182151



--- Comment #25 from Jeff Layton <jlayton@xxxxxxxxxx> ---
This is a reasonable request, but it'll take a bit longer:

FIX: The daemon does not respect distribution-wide crypto policies. It enables
algorithms in tlshd_make_priorities_string() based on what Linux supported at
build time of this package. Ideally the daemon should consult crypto policy
<https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/> and
only enable a disjunction of what Linux offers and what user-space crypto
policy mandates. Please contact <security@xxxxxxxxxxxxxxxxxxxxxxx> for help.
There is a possibility that Linux already does that in other way. Please get a
crypto review from the security team on that mailing list.

For this, I think we need to vet each cipher and only enable the ones that are
in the current priority list. That might be doable via
gnutls_priority_cipher_list(3) but I'll need to experiment.


-- 
You are receiving this mail because:
You are always notified about changes to this product and component
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2182151
_______________________________________________
package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite Conditions]     [KDE Users]

  Powered by Linux