Here https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ is a proposal to use a specific cipher list string for SSL_CTX_set_cipher_list(): "PROFILE=SYSTEM".
Especially this citation: "if that call is present and provided a fixed string which does not contain PSK or SRP, replace the string with "PROFILE=SYSTEM", or remove the call"
We have to rely on PSK. What ist the reason behind the above advice?
Thanks, Frank
Hi!
On Thu, Apr 04, 2019 at 11:06:07PM +0200, Frank Ueberschar wrote:
Here https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ is a proposal to use a specific cipher list string for SSL_CTX_set_cipher_list(): "PROFILE=SYSTEM".
Especially this citation: "if that call is present and provided a fixed string which does not contain PSK or SRP, replace the string with "PROFILE=SYSTEM", or remove the call"
We have to rely on PSK. What ist the reason behind the above advice?
The crypto policy does not cover those two options currently. The part covering GnuTLS applications seems to be more informative:
"If it contains PSK or SRP do nothing (these applications are not currently covered by the default policy)"
So I'd say you're good about using PSK.
My guesses about why this is set like it is:
The reasoning seems to be something like "Don't force applications to use a specific set of Cipher/MAC/Signature Algorithm/Key Exchange methods, if there are multiple interchangeable options."
By setting this to PROFILE=SYSTEM as default you allow the system administrator to disable specific ciphers for all applications. (e.g. disable 3DES-CBC system-wide)
If you've got PSK or SRP in the string I'd say it is quite likely that it's not possible to switch to something else without rewriting parts of the application, so there is nothing left to disable system-wide anyway.
All the best, David
On Thursday, 4 April 2019 23:06:07 CEST Frank Ueberschar wrote:
Here https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ is a proposal to use a specific cipher list string for SSL_CTX_set_cipher_list(): "PROFILE=SYSTEM".
Especially this citation: "if that call is present and provided a fixed string which does not contain PSK or SRP, replace the string with "PROFILE=SYSTEM", or remove the call"
We have to rely on PSK. What ist the reason behind the above advice?
Thanks, Frank
more or less what David said. PSK and SRP are very specific use cases, ones that don't work in open Internet and require close cooperation and communication between server administrator and user. Crypto Policies target common use cases with typical configurations (i.e. X.509 certificate authentication).
security@lists.fedoraproject.org
-
David Kaufmann -
Frank Ueberschar -
Hubert Kario