https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/...
says that I need to patch application (if it does not have config
file) to use "PROFILE=SYSTEM" as the argument to the cipher list.
However, when I was looking into the library which uses this function
(rust-openssl), I found following piece of code:
/// Creates a new builder for TLS connections.
///
/// The default configuration is subject to change, and is
currently derived from Python.
pub fn builder(method: SslMethod) -> Result<SslConnectorBuilder,
ErrorStack> {
let mut ctx = ctx(method)?;
ctx.set_default_verify_paths()?;
ctx.set_cipher_list(
"DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK",
)?;
setup_verify(&mut ctx);
Ok(SslConnectorBuilder(ctx))
}
https://github.com/sfackler/rust-openssl/blob/9ba802ad437447ac71f99d89653...
Then I looked at CPython and found that it does this:
/* Ignored in SSLContext constructor, only used to as
_ssl.DEFAULT_CIPHER_STRING */
#define PY_SSL_DEFAULT_CIPHER_STRING SSL_DEFAULT_CIPHER_LIST
And then it just ignores call to SSL_CTX_set_cipher_list().
So my question would be: Should I patch rust-openssl to use
PROFILE=DEFAULT or I should just remove that call entirely? It is not
very clear to me from the guidelines. Also since I want to get this
upstream, which option is more portable?