Re: Enforcing system crypto policies
On Thursday, 4 April 2019 23:06:07 CEST Frank Ueberschar wrote:
Here
https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/
is a proposal to use a specific cipher list string for
SSL_CTX_set_cipher_list(): "PROFILE=SYSTEM".
Especially this citation: "if that call is present and provided a fixed
string which does not contain PSK or SRP, replace the string with
"PROFILE=SYSTEM", or remove the call"
We have to rely on PSK. What ist the reason behind the above advice?
Thanks, Frank
more or less what David said. PSK and SRP are very specific use cases, ones
that don't work in open Internet and require close cooperation and
communication between server administrator and user. Crypto Policies target
common use cases with typical configurations (i.e. X.509 certificate
authentication).
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachments:
- signature.asc (application/pgp-signature — 833 bytes)