System-wide crypto policy transition tracker

Michael Catanzaro mcatanzaro at gnome.org
Thu Jan 8 01:59:50 UTC 2015 

On Tue, Jan 6, 2015 at 9:20 AM, Nikos Mavrogiannopoulos 
<nmav at redhat.com> wrote:
> Hello,
>  I've created a transition tracker to system-wide crypto policy at:
> https://bugzilla.redhat.com/show_bug.cgi?id=1179209
> 
> Currently it contains bugs filled against openssl and gnutls
> applications in Fedora. If you use some application which utilizes
> SSL/TLS and isn't included in the tracker feel free to request it use
> the policy, and include a link to the bug report in the tracker.

Hi,

This looks like a big improvement. I have a few questions about what to 
expect @SYSTEM to include in F22:

* Will the system priority string include %COMPAT?
* Will it include %LATEST_RECORD_VERSION? (WebKitGTK+ has been using 
this at your suggestion, since servers started blocking SSLv3 record 
versions.)
* Given that GnuTLS 3.4 seems unlikely to be stable before F22, will it 
include !VERS-SSL3.0?
* And what about !ARCFOUR-128?

Now a hypothetical: say some new attack is published and some new set 
of ciphersuites is considered weak. Can applications trust that the 
system-provided string will always be secure (or represent a reasonable 
security-compatibility trade-off)? Of course that might depend on the 
severity of the attack, so more specifically: if POODLE were to be 
discovered one month after F22 is released, would @SYSTEM be 
immediately updated to include !VERS-SSL3.0, or would a change like 
that be delayed until the next Fedora release? If the change was 
delayed, would application-specific patches to change the default 
priority string be permitted?

Lastly, one criticism: I'm really unsure why any of this is being 
treated as Fedora-specific. Other distributions should benefit from 
this work as well. In particular, an upstream application developer 
needs some way to specify "secure defaults please and thank you" and it 
looks like gnutls_set_default_priority() will be the way to get that on 
Fedora. But upstream projects would be amiss to use the default 
priority, which is a shame. I'd really like for upstream projects to 
not have to worry about the priority string unless they choose to.

Thanks,

Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150107/c558c287/attachment.html>

More information about the devel mailing list