https://bugzilla.redhat.com/show_bug.cgi?id=2368742
--- Comment #12 from Pavol Sloboda psloboda@redhat.com ---
mariadb11.8.x86_64: W: crypto-policy-non-compliance-openssl /usr/bin/mariadb SSL_CTX_set_cipher_list mariadb11.8.x86_64: W: crypto-policy-non-compliance-openssl /usr/bin/mariadb-admin SSL_CTX_set_cipher_list mariadb11.8.x86_64: W: crypto-policy-non-compliance-openssl /usr/bin/mariadb-binlog SSL_CTX_set_cipher_list mariadb11.8.x86_64: W: crypto-policy-non-compliance-openssl /usr/bin/mariadb-check SSL_CTX_set_cipher_list mariadb11.8.x86_64: W: crypto-policy-non-compliance-openssl /usr/bin/mariadb-dump SSL_CTX_set_cipher_list mariadb11.8.x86_64: W: crypto-policy-non-compliance-openssl /usr/bin/mariadb-import SSL_CTX_set_cipher_list mariadb11.8.x86_64: W: crypto-policy-non-compliance-openssl /usr/bin/mariadb-show SSL_CTX_set_cipher_list mariadb11.8.x86_64: W: crypto-policy-non-compliance-openssl /usr/bin/mariadb-slap SSL_CTX_set_cipher_list mariadb11.8-backup.x86_64: W: crypto-policy-non-compliance-openssl /usr/bin/mariadb-backup SSL_CTX_set_cipher_list mariadb11.8-embedded.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/libmariadbd.so.19 SSL_CTX_set_cipher_list mariadb11.8-server.x86_64: W: crypto-policy-non-compliance-openssl /usr/libexec/mariadbd SSL_CTX_set_cipher_list
Is this at least reported to upstream?
I am still investigating these and I will either provide a reason why they are valid or contact upstream about them in the near future.
I have looked into the packaging guidelines [1], specifically the OpenSSL applications part of the aforementioned link and as mentioned in that section, the SSL_CTX_set_cipher_list can't be called with a fixed string unless it is "PROFILE=SYSTEM". It is being called with the return value of TLS_client_method(), which uses the ssl profile specified inside the makefile, which is being set during the build process using the -DWITH_SSL=system cmake flag to the system policy. This means that the packaging guidelines are being satisfied. Therefore the warnings above seem to be false positives.
[1] https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/#_c...