= Proposed Self Contained Change: NSS enforces the system-wide crypto policy = https://fedoraproject.org/wiki/Changes/NSSCryptoPolicies
Change owner(s): * Nikos Mavrogiannopoulos <nmav AT redhat DOT com>
As it is now, the System-wide crypto policy in F24 is only enforced by the OpenSSL and GnuTLS TLS libraries. To harmonize crypto in Fedora, NSS is enhanced to respect the settings of the system-wide crypto policy as well.
== Detailed Description == As it is now, the System-wide crypto policy in F24 is only enforced by the OpenSSL and GnuTLS TLS libraries. To harmonize crypto in Fedora, NSS is enhanced to respect the settings of the system-wide crypto policy as well. After that change the administrator should be assured that any application that uses NSS will follow a policy that adheres to the configured profile.
== Scope == * Proposal owners: The change requires modifying the NSS library to read a policy generated by the crypto-policy package.
* Other developers: There are no required actions by other developers. The change requires only targeted changes to NSS.
* Release engineering: No actions required.
* Policies and guidelines: - The packaging guidelines for crypto policies need to be modified to include NSS in the list of libraries supporting the policies. - The text "(note that adherence to the system-wide policies is work in progress for NSS libraries)" must be removed - The text "Currently the policies are restricted to applications using GnuTLS and OpenSSL" must be changed to include NSS.
* Trademark approval: N/A (not needed for this Change)
On 20.5.2016 11:48, Jan Kurik wrote:
= Proposed Self Contained Change: NSS enforces the system-wide crypto policy = https://fedoraproject.org/wiki/Changes/NSSCryptoPolicies
Change owner(s):
- Nikos Mavrogiannopoulos <nmav AT redhat DOT com>
As it is now, the System-wide crypto policy in F24 is only enforced by the OpenSSL and GnuTLS TLS libraries. To harmonize crypto in Fedora, NSS is enhanced to respect the settings of the system-wide crypto policy as well.
== Detailed Description == As it is now, the System-wide crypto policy in F24 is only enforced by the OpenSSL and GnuTLS TLS libraries. To harmonize crypto in Fedora, NSS is enhanced to respect the settings of the system-wide crypto policy as well. After that change the administrator should be assured that any application that uses NSS will follow a policy that adheres to the configured profile.
== Scope ==
- Proposal owners:
The change requires modifying the NSS library to read a policy generated by the crypto-policy package.
- Other developers:
There are no required actions by other developers. The change requires only targeted changes to NSS.
- Release engineering:
No actions required.
- Policies and guidelines:
- The packaging guidelines for crypto policies need to be modified to
include NSS in the list of libraries supporting the policies.
- The text "(note that adherence to the system-wide policies is work
in progress for NSS libraries)" must be removed
- The text "Currently the policies are restricted to applications
using GnuTLS and OpenSSL" must be changed to include NSS.
- Trademark approval:
N/A (not needed for this Change)
Hooray!
On Fri, 2016-05-20 at 11:48 +0200, Jan Kurik wrote:
= Proposed Self Contained Change: NSS enforces the system-wide crypto policy = https://fedoraproject.org/wiki/Changes/NSSCryptoPolicies
IYTM "enforces *some* of the system-wide crypto policy".
We also have a policy (in p11-kit config) for which PKCS#11 tokens should be loaded into which applications. I suppose you could play semantic games and say that's not really part of the "system-wide crypto policy" you were talking about. But please don't :)
As things stand, NSS is a holdout in that respect too. If we were to rebuilt curl against GnuTLS¹, the right tokens would automatically be available. As it's currently built against NSS, they aren't.
This is https://bugzilla.redhat.com/show_bug.cgi?id=1173577%C2%A0%E2%80%94 and it might even be relatively easily solved just by loading p11-kit-proxy.so by default whenever the NSS database is initialised (without the NoDB flag).
Please could we make an effort to get that fixed at the same time? The patches you have as part of this Change are touching the *same* code in nss_InitModules() which needs to be fixed up for loading the right modules, too.
-- dwmw2
¹ Can we, please?
On Fri, 2016-05-20 at 11:48 +0200, Jan Kurik wrote:
As it is now, the System-wide crypto policy in F24 is only enforced by the OpenSSL and GnuTLS TLS libraries.
Keep in mind that the system policy is still overridden by glib- networking for all GNOME applications.
On Fri, 2016-05-20 at 10:01 -0500, Michael Catanzaro wrote:
On Fri, 2016-05-20 at 11:48 +0200, Jan Kurik wrote:
As it is now, the System-wide crypto policy in F24 is only enforced by the OpenSSL and GnuTLS TLS libraries.
Keep in mind that the system policy is still overridden by glib- networking for all GNOME applications.
This is a serious bug, but I don't really want to keep that in mind :)
I've already commented in https://bugzilla.redhat.com/show_bug.cgi?id=1179295
regards, Nikos
What is the impact on openjdk crypto providers?
On Fri, May 20, 2016, 05:49 Jan Kurik jkurik@redhat.com wrote:
= Proposed Self Contained Change: NSS enforces the system-wide crypto policy = https://fedoraproject.org/wiki/Changes/NSSCryptoPolicies
Change owner(s):
- Nikos Mavrogiannopoulos <nmav AT redhat DOT com>
As it is now, the System-wide crypto policy in F24 is only enforced by the OpenSSL and GnuTLS TLS libraries. To harmonize crypto in Fedora, NSS is enhanced to respect the settings of the system-wide crypto policy as well.
== Detailed Description == As it is now, the System-wide crypto policy in F24 is only enforced by the OpenSSL and GnuTLS TLS libraries. To harmonize crypto in Fedora, NSS is enhanced to respect the settings of the system-wide crypto policy as well. After that change the administrator should be assured that any application that uses NSS will follow a policy that adheres to the configured profile.
== Scope ==
- Proposal owners:
The change requires modifying the NSS library to read a policy generated by the crypto-policy package.
- Other developers:
There are no required actions by other developers. The change requires only targeted changes to NSS.
- Release engineering:
No actions required.
- Policies and guidelines:
- The packaging guidelines for crypto policies need to be modified to
include NSS in the list of libraries supporting the policies.
- The text "(note that adherence to the system-wide policies is work
in progress for NSS libraries)" must be removed
- The text "Currently the policies are restricted to applications
using GnuTLS and OpenSSL" must be changed to include NSS.
- Trademark approval:
N/A (not needed for this Change)
Jan Kuřík Platform & Fedora Program Manager Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
The impact in what sense? Note that openjdk will also conform to the system wide policy.
regards, Nikos
On Fri, 2016-05-20 at 15:24 +0000, Christopher wrote:
What is the impact on openjdk crypto providers?
On Fri, May 20, 2016, 05:49 Jan Kurik jkurik@redhat.com wrote:
= Proposed Self Contained Change: NSS enforces the system-wide crypto policy = https://fedoraproject.org/wiki/Changes/NSSCryptoPolicies
Change owner(s):
- Nikos Mavrogiannopoulos <nmav AT redhat DOT com>
As it is now, the System-wide crypto policy in F24 is only enforced by the OpenSSL and GnuTLS TLS libraries. To harmonize crypto in Fedora, NSS is enhanced to respect the settings of the system-wide crypto policy as well.
== Detailed Description == As it is now, the System-wide crypto policy in F24 is only enforced by the OpenSSL and GnuTLS TLS libraries. To harmonize crypto in Fedora, NSS is enhanced to respect the settings of the system-wide crypto policy as well. After that change the administrator should be assured that any application that uses NSS will follow a policy that adheres to the configured profile.
== Scope ==
- Proposal owners:
The change requires modifying the NSS library to read a policy generated by the crypto-policy package.
- Other developers:
There are no required actions by other developers. The change requires only targeted changes to NSS.
- Release engineering:
No actions required.
- Policies and guidelines:
- The packaging guidelines for crypto policies need to be modified
to include NSS in the list of libraries supporting the policies.
- The text "(note that adherence to the system-wide policies is
work in progress for NSS libraries)" must be removed
- The text "Currently the policies are restricted to applications
using GnuTLS and OpenSSL" must be changed to include NSS.
- Trademark approval:
N/A (not needed for this Change)
Jan Kuřík Platform & Fedora Program Manager Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraprojec t.org
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject. org
It's my understanding that there's been some recent work to move openjdk to certain NSS security providers (for EC, for example). But, I think you already answered my (poorly worded) question. Thanks.
On Mon, May 23, 2016, 04:01 Nikos Mavrogiannopoulos nmav@redhat.com wrote:
The impact in what sense? Note that openjdk will also conform to the system wide policy.
regards, Nikos
On Fri, 2016-05-20 at 15:24 +0000, Christopher wrote:
What is the impact on openjdk crypto providers?
On Fri, May 20, 2016, 05:49 Jan Kurik jkurik@redhat.com wrote:
= Proposed Self Contained Change: NSS enforces the system-wide crypto policy = https://fedoraproject.org/wiki/Changes/NSSCryptoPolicies
Change owner(s):
- Nikos Mavrogiannopoulos <nmav AT redhat DOT com>
As it is now, the System-wide crypto policy in F24 is only enforced by the OpenSSL and GnuTLS TLS libraries. To harmonize crypto in Fedora, NSS is enhanced to respect the settings of the system-wide crypto policy as well.
== Detailed Description == As it is now, the System-wide crypto policy in F24 is only enforced by the OpenSSL and GnuTLS TLS libraries. To harmonize crypto in Fedora, NSS is enhanced to respect the settings of the system-wide crypto policy as well. After that change the administrator should be assured that any application that uses NSS will follow a policy that adheres to the configured profile.
== Scope ==
- Proposal owners:
The change requires modifying the NSS library to read a policy generated by the crypto-policy package.
- Other developers:
There are no required actions by other developers. The change requires only targeted changes to NSS.
- Release engineering:
No actions required.
- Policies and guidelines:
- The packaging guidelines for crypto policies need to be modified
to include NSS in the list of libraries supporting the policies.
- The text "(note that adherence to the system-wide policies is
work in progress for NSS libraries)" must be removed
- The text "Currently the policies are restricted to applications
using GnuTLS and OpenSSL" must be changed to include NSS.
- Trademark approval:
N/A (not needed for this Change)
Jan Kuřík Platform & Fedora Program Manager Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraprojec t.org
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject. org
-- Nikos Mavrogiannopoulos, PhD, Crypto Tech. Lead, Security Technologies, Red Hat, Inc.
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
-
Christopher -
David Woodhouse -
Jan Kurik -
Michael Catanzaro -
Nikos Mavrogiannopoulos -
Petr Spacek