F21 System Wide Change: System-wide crypto policy

Jaroslav Reznik jreznik at redhat.com
Thu Feb 27 16:22:43 UTC 2014

= Proposed System Wide Change: System-wide crypto policy =

Change owner(s): Nikos Mavrogiannopoulos <nmav at redhat.com>

Unify the crypto policies used by different applications and libraries. That is 
allow setting a consistent security level for crypto on all applications in a 
Fedora system. 

== Detailed Description ==
The idea is to have some predefined security levels such as LEVEL-80, 
LEVEL-128, LEVEL-256,
or ENISA-LEGACY, ENISA-FUTURE, SUITEB-128, SUITEB-256. These will be the 
security levels 
that the administrator of the system will be able to configure by modifying

and being applied after executing update-crypto-profiles.
(Note: it would be better to have a daemon that watches those files and
runs update-crypto-profiles automatically)

After that the administrator should be assured that any application
that uses the system settings will follow a policy that adheres to
the configured profile. 

Ideally setting a profile should be setting:
* the acceptable TLS/SSL (and DTLS) versions
* the acceptable ciphersuites and the preferred order
* acceptable parameters in certificates and key exchange, i.e.:
** the minimum acceptable size of parameters (DH,ECDH,RSA,DSA,ECDSA)
** the acceptable elliptic curves (ECDH,ECDSA)
** the acceptable signature hash functions
* other TLS options such as:
** safe renegotiation

An idea of how this will be implemented is to have each Fedora application's 
file or compilation option will set a system default option. That is for 
example for
applications that use GnuTLS or OpenSSL a priority string or cipher named 
Then the shipped library will make sure that once the "SYSTEM" option is 
the preconfigured system settings will be applied.

The preconfigured settings for each SSL library will be auto-generated
from the default profile in

== Scope ==
There are changes required in GnuTLS, OpenSSL and NSS libraries. On a second 
phase non-SSL crypto libraries could use these settings.

* Proposal owners: For GnuTLS and OpenSSL the "SYSTEM" cipher needs to be 
understood and behave as described. For NSS the NSS_SetDomesticPolicy() can be 
overloaded to behave as above.

After that a mechanism to specify crypto policies for Fedora has to be 
devised, as well as the extraction to each libraries' settings.

* Other developers: Packages that use SSL crypto libraries should, after the 
previous change is complete, start replacing the default cipher strings with 

* Release engineering: This feature does not require coordination with release 

* Policies and guidelines:  After the change is complete the packaging 
guidelines, should mention above replacing the default cipher strings with 
"SYSTEM". This of course need not affect programs that do not have a mechanism 
for setting ciphers/modes that is already in wide use (e.g., browsers). It 
mostly targets applications that use some reasonable (or unreasonable) 
defaults and the user/administrator has little control of them.
devel-announce mailing list
devel-announce at lists.fedoraproject.org

More information about the devel mailing list