<div dir="ltr">On Wed, Jan 7, 2015 at 4:04 AM, Nikos Mavrogiannopoulos <span dir="ltr"><<a href="mailto:nmav@redhat.com" target="_blank">nmav@redhat.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">On Tue, 2015-01-06 at 12:16 -0500, Christopher wrote:<br>
<br>
<br>
> Are there any guidelines for enforcing crypto policies in Java<br>
> applications.<br>
> Primarily, I was thinking about those Java applications that use JSSE<br>
> system properties or similar user-driven configuration to specify<br>
> keystores. Are those affected by this crypto policy at all?<br>
<br>
</span>Not yet. I haven't started a process on that, as I'd like to have time<br>
to spend on the successful deployment on openssl, gnutls and hopefully<br>
nss. However, maybe we don't need to do everything in a serialized way.<br>
If you are interested in that, may I suggest to fill feature request<br>
with the relevant java packages shipped in fedora?<br>
<br>
I've put a tracker of the crypto policies applicability at:<br>
<a href="https://fedoraproject.org/wiki/User:Nmav/FedoraCryptoPolicies" target="_blank">https://fedoraproject.org/wiki/User:Nmav/FedoraCryptoPolicies</a><br>
<span class=""><br>
> Also, what about situations where SSL/TLS is off by default in the<br>
> application, but is an available as an optional feature, if the user<br>
> configures it? Since users are obliged to configure it, it seems<br>
> there's not much for a packager to do in those situations, because<br>
> that depends on the user's configuration, right?<br>
<br>
</span>I'm not sure I understand the question. Let's see wget.<br>
wget <a href="http://www.amazon.com" target="_blank">http://www.amazon.com</a> ----> no ssl<br>
wget <a href="https://www.amazon.com" target="_blank">https://www.amazon.com</a> ----> ssl with system wide policies<br>
wget --secure-protocol=TLSv1 -----> application/user specific policy<br>
<br>
That is the default policies should be used if the user simply asks for<br>
SSL/TLS without being more specific.<br>
<div class=""><div class="h5"><br></div></div></blockquote><div><br></div><div>I was more curious about services (vs. clients) which provide optional SSL/TLS features (httpd, as a representative example case), and how this policy would apply to the default configs for such services. My package, accumulo, has such a feature, but a user has to edit configuration to turn it on, specifying keystores, truststores, algorithms, etc. (analogous to httpd). The default config ships with it turned off, because it's a lot of overhead, and the primary use case (in a cloud) doesn't require secure connections. I just want to make sure that if this policy affects me, I do the right thing to comply. It doesn't seem like it affects me, as I understand it.<br><br></div><div>Thanks.<br></div></div></div></div>