System-wide crypto policy transition tracker
Michael Catanzaro
mcatanzaro at gnome.org
Thu Jan 8 01:59:50 UTC 2015
On Tue, Jan 6, 2015 at 9:20 AM, Nikos Mavrogiannopoulos
<nmav at redhat.com> wrote:
> Hello,
> I've created a transition tracker to system-wide crypto policy at:
> https://bugzilla.redhat.com/show_bug.cgi?id=1179209
>
> Currently it contains bugs filled against openssl and gnutls
> applications in Fedora. If you use some application which utilizes
> SSL/TLS and isn't included in the tracker feel free to request it use
> the policy, and include a link to the bug report in the tracker.
Hi,
This looks like a big improvement. I have a few questions about what to
expect @SYSTEM to include in F22:
* Will the system priority string include %COMPAT?
* Will it include %LATEST_RECORD_VERSION? (WebKitGTK+ has been using
this at your suggestion, since servers started blocking SSLv3 record
versions.)
* Given that GnuTLS 3.4 seems unlikely to be stable before F22, will it
include !VERS-SSL3.0?
* And what about !ARCFOUR-128?
Now a hypothetical: say some new attack is published and some new set
of ciphersuites is considered weak. Can applications trust that the
system-provided string will always be secure (or represent a reasonable
security-compatibility trade-off)? Of course that might depend on the
severity of the attack, so more specifically: if POODLE were to be
discovered one month after F22 is released, would @SYSTEM be
immediately updated to include !VERS-SSL3.0, or would a change like
that be delayed until the next Fedora release? If the change was
delayed, would application-specific patches to change the default
priority string be permitted?
Lastly, one criticism: I'm really unsure why any of this is being
treated as Fedora-specific. Other distributions should benefit from
this work as well. In particular, an upstream application developer
needs some way to specify "secure defaults please and thank you" and it
looks like gnutls_set_default_priority() will be the way to get that on
Fedora. But upstream projects would be amiss to use the default
priority, which is a shame. I'd really like for upstream projects to
not have to worry about the priority string unless they choose to.
Thanks,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150107/c558c287/attachment.html>
More information about the devel
mailing list