On 08/08/14 09:20, Nikos Mavrogiannopoulos wrote:
Hello,
I plan to submit the following text for packaging guidelines regarding
crypto policies. Are there any comments or suggestions?
Since Fedora 21 (
http://fedoraproject.org/wiki/Changes/CryptoPolicy)
there are policies for the usage of SSL and TLS cryptographic protocols
that are enforced system-wide. Each application being added in Fedora
must be checked to comply with the policies. Currently the policies are
restricted to applications using GnuTLS and OpenSSL.
* OpenSSL applications: If the application provides a configuration
file that allows to modify the cipher list string, ensure that the
default is "PROFILE=SYSTEM". Otherwise, if the application doesn't have
a configuration file, ensure that there is no default cipher list
specified, or that the default list is set as "PROFILE=SYSTEM".
* GnuTLS applications: If the application provides a configuration file
that allows to modify the cipher priority string, ensure that the
default is "@SYSTEM". Otherwise, if the application doesn't have a
configuration file, ensure that it uses gnutls_set_default_priority(),
or that the default priority string is "@SYSTEM".
Applications utilizing other cryptographic libraries do not adhere to
the system wide crypto policies.
regards,
Nikos
--
security mailing list
security(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/security What about GNUPG ?
And what will that default be set to ? Because certain ciphers that NIST
seems to think are OK, are not OK, as we found out. And who decides
which cyphers are good in that context ?
Are we following bettercrypto.org's paper ?
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore(a)internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore(a)fedoraproject.org