On Thu, 2014-02-27 at 16:35 +0000, Colin Walters wrote:
wrote:
> and being applied after executing update-crypto-profiles. (Note: it
> would be better to have a daemon that watches those files and runs
> update-crypto-profiles automatically)
Was the option of patching the libraries to *directly* read this new
config file and prefer it over their own internal ones considered?
Hello,
Do you mean ignoring any other configured option? If we enforce
something like that, there will not be any easy way to override the
defaults, and I think that it would most probably result into forum
advices like "delete the crypto profile file", or "set a very weak
profile that would work everywhere".
That result would be undesirable, but there is a practical reason too.
There are strings in openssl and gnutls that enable PSK ciphersuites or
other exotic options for some applications, that we will not have
enabled in a system wide policy (not initially at least).
regards,
Nikos