On Thu, 2014-01-16 at 11:57 -0500, Hubert Kario wrote:
> Hello,
> I am working on a draft common crypto policy for Fedora. The idea is to
> be able to set a security level for all TLS/SSL connections in a system
> (which will of course allow the user to use any application-specific
> overrides).
> The draft change is at:
>
https://fedoraproject.org/wiki/Changes/CryptoPolicy
> and is not submitted yet as I'd appreciate any comments, suggestions for
> improvement or any help in implementing it. The current policy is
> restricted to TLS and SSL libraries to have a manageable work effort but
> the idea is to convert gradually all crypto applications and libraries.
Order of cipher suites is just as important as which ones are enabled.
Hello Hubert,
Indeed, an ordered list was meant and I've clarified that.
"minimum acceptable size of parameters" is missing ECDHE,
and I'm assuming
that by DH you mean ephemeral version of it. Specifying it explicitly may
be a good idea.
updated.
regards,
Nikos