F21 System Wide Change: System-wide crypto policy
Nikos Mavrogiannopoulos
nmav at redhat.com
Thu Feb 27 17:33:41 UTC 2014
On Thu, 2014-02-27 at 08:42 -0800, Toshio Kuratomi wrote:
> > After that the administrator should be assured that any application
> > that uses the system settings will follow a policy that adheres to
> > the configured profile.
> > Ideally setting a profile should be setting:
> > * the acceptable TLS/SSL (and DTLS) versions
> > * the acceptable ciphersuites and the preferred order
> > * acceptable parameters in certificates and key exchange, i.e.:
> > ** the minimum acceptable size of parameters (DH,ECDH,RSA,DSA,ECDSA)
> > ** the acceptable elliptic curves (ECDH,ECDSA)
> > ** the acceptable signature hash functions
> > * other TLS options such as:
> > ** safe renegotiation
> >
> Does this configuration limit the algorithms that are available or
> only the options that can be given to those algorithms or only the
> default values of those algorithms?
I'm not sure I fully understand the question. This configuration will
limit the available algorithms (e.g., will disable RC4), but it will
also limit some options of the algorithms (e.g., RSA using 1024 bits or
more - at least for the libraries that have support for such options).
Does this answer your question?
regards,
Nikos
More information about the devel
mailing list