System-wide crypto policy transition tracker
Christopher
ctubbsii-fedora at apache.org
Wed Jan 7 17:14:52 UTC 2015
On Wed, Jan 7, 2015 at 4:04 AM, Nikos Mavrogiannopoulos <nmav at redhat.com>
wrote:
> On Tue, 2015-01-06 at 12:16 -0500, Christopher wrote:
>
>
> > Are there any guidelines for enforcing crypto policies in Java
> > applications.
> > Primarily, I was thinking about those Java applications that use JSSE
> > system properties or similar user-driven configuration to specify
> > keystores. Are those affected by this crypto policy at all?
>
> Not yet. I haven't started a process on that, as I'd like to have time
> to spend on the successful deployment on openssl, gnutls and hopefully
> nss. However, maybe we don't need to do everything in a serialized way.
> If you are interested in that, may I suggest to fill feature request
> with the relevant java packages shipped in fedora?
>
> I've put a tracker of the crypto policies applicability at:
> https://fedoraproject.org/wiki/User:Nmav/FedoraCryptoPolicies
>
> > Also, what about situations where SSL/TLS is off by default in the
> > application, but is an available as an optional feature, if the user
> > configures it? Since users are obliged to configure it, it seems
> > there's not much for a packager to do in those situations, because
> > that depends on the user's configuration, right?
>
> I'm not sure I understand the question. Let's see wget.
> wget http://www.amazon.com ----> no ssl
> wget https://www.amazon.com ----> ssl with system wide policies
> wget --secure-protocol=TLSv1 -----> application/user specific policy
>
> That is the default policies should be used if the user simply asks for
> SSL/TLS without being more specific.
>
>
I was more curious about services (vs. clients) which provide optional
SSL/TLS features (httpd, as a representative example case), and how this
policy would apply to the default configs for such services. My package,
accumulo, has such a feature, but a user has to edit configuration to turn
it on, specifying keystores, truststores, algorithms, etc. (analogous to
httpd). The default config ships with it turned off, because it's a lot of
overhead, and the primary use case (in a cloud) doesn't require secure
connections. I just want to make sure that if this policy affects me, I do
the right thing to comply. It doesn't seem like it affects me, as I
understand it.
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150107/903253ce/attachment.html>
More information about the devel
mailing list