F23 System Wide Change: Disable SSL3 and RC4 by default

Jan Kurik jkurik at redhat.com
Tue Apr 28 10:10:37 UTC 2015

= Proposed System Wide Change: Disable SSL3 and RC4 by default =

Change owner(s): Nikos Mavrogiannopoulos <nmav at redhat.com>

This change will disable by default the SSL 3.0 protocol and the RC4 cipher in components which use the system wide crypto policy. That is, gnutls and openssl libraries, and all the applications based on them. 

== Detailed Description ==
There are serious vulnerabilities known to the SSL 3.0 protocol, since a decade. Recent attacks (e.g., the POODLE issue #1152789) take advantage of them, negating the secrecy offerings of the protocol. The RC4 cipher is also considered cryptographically broken, and new attacks against its secrecy are made known every year (#1207101). Since attacks are only getting better, we should disable these broken protocols and ciphers system wide. 

== Scope ==
* Proposal owners: The crypto-policies package has to be updated to accommodate the new policies.
* Other developers: Should verify that their package works after the change. That is that their package doesn't require only SSL 3.0, or only the RC4 ciphersuites. If their package requires these options due to design, they should consider contacting upstream to update the software. If that is not possible, or this support is needed to contact legacy servers, they should consider not using the system wide policy, and make that apparent in the package documentation. 
* Release engineering: This feature doesn't require coordination with release engineering. 
* Policies and guidelines: The packaging guidelines do not need to be changed. 

Jan Kuřík

More information about the devel-announce mailing list