= Proposed System Wide Change: Disable SSL3 and RC4 by default =
https://fedoraproject.org/wiki/Changes/RemoveSSL3andRc4
Change owner(s): Nikos Mavrogiannopoulos <nmav(a)redhat.com>
This change will disable by default the SSL 3.0 protocol and the RC4 cipher in components
which use the system wide crypto policy. That is, gnutls and openssl libraries, and all
the applications based on them.
== Detailed Description ==
There are serious vulnerabilities known to the SSL 3.0 protocol, since a decade. Recent
attacks (e.g., the POODLE issue #1152789) take advantage of them, negating the secrecy
offerings of the protocol. The RC4 cipher is also considered cryptographically broken, and
new attacks against its secrecy are made known every year (#1207101). Since attacks are
only getting better, we should disable these broken protocols and ciphers system wide.
== Scope ==
* Proposal owners: The crypto-policies package has to be updated to accommodate the new
policies.
* Other developers: Should verify that their package works after the change. That is that
their package doesn't require only SSL 3.0, or only the RC4 ciphersuites. If their
package requires these options due to design, they should consider contacting upstream to
update the software. If that is not possible, or this support is needed to contact legacy
servers, they should consider not using the system wide policy, and make that apparent in
the package documentation.
* Release engineering: This feature doesn't require coordination with release
engineering.
* Policies and guidelines: The packaging guidelines do not need to be changed.
--
Jan Kuřík
_______________________________________________
devel-announce mailing list
devel-announce(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce