----- Original Message -----
From: "Nikos Mavrogiannopoulos" <nmav(a)redhat.com>
To: security(a)lists.fedoraproject.org
Sent: Thursday, 16 January, 2014 5:17:51 PM
Subject: enforcing a consistent crypto policy
[reposting from fedora-devel]
Hello,
I am working on a draft common crypto policy for Fedora. The idea is to
be able to set a security level for all TLS/SSL connections in a system
(which will of course allow the user to use any application-specific
overrides).
The draft change is at:
https://fedoraproject.org/wiki/Changes/CryptoPolicy
and is not submitted yet as I'd appreciate any comments, suggestions for
improvement or any help in implementing it. The current policy is
restricted to TLS and SSL libraries to have a manageable work effort but
the idea is to convert gradually all crypto applications and libraries.
Order of cipher suites is just as important as which ones are enabled.
"minimum acceptable size of parameters" is missing ECDHE, and I'm assuming
that by DH you mean ephemeral version of it. Specifying it explicitly may
be a good idea.
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
http://wiki.brq.redhat.com/hkario
Email: hkario(a)redhat.com
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic