Re: enforcing a consistent crypto policy

> Hello, > I am working on a draft common crypto policy for Fedora. The idea is to > be able to set a security level for all TLS/SSL connections in a system > (which will of course allow the user to use any application-specific > overrides). > The draft change is at: > https://fedoraproject.org/wiki/Changes/CryptoPolicy > and is not submitted yet as I'd appreciate any comments, suggestions for > improvement or any help in implementing it. The current policy is > restricted to TLS and SSL libraries to have a manageable work effort but > the idea is to convert gradually all crypto applications and libraries. Order of cipher suites is just as important as which ones are enabled.

"minimum acceptable size of parameters" is missing ECDHE, and I'm assuming that by DH you mean ephemeral version of it. Specifying it explicitly may be a good idea.