F23 System Wide Change: Disable SSL3 and RC4 by default

Stephen Gallagher sgallagh at redhat.com
Wed May 6 12:50:47 UTC 2015 


----- Original Message -----
> From: "Jan Kurik" <jkurik at redhat.com>
> To: devel-announce at lists.fedoraproject.org
> Sent: Tuesday, April 28, 2015 6:10:37 AM
> Subject: F23 System Wide Change: Disable SSL3 and RC4 by default
> 
> = Proposed System Wide Change: Disable SSL3 and RC4 by default =
> https://fedoraproject.org/wiki/Changes/RemoveSSL3andRc4
> 
> Change owner(s): Nikos Mavrogiannopoulos <nmav at redhat.com>
> 
> This change will disable by default the SSL 3.0 protocol and the RC4 cipher
> in components which use the system wide crypto policy. That is, gnutls and
> openssl libraries, and all the applications based on them.
> 
> == Detailed Description ==
> There are serious vulnerabilities known to the SSL 3.0 protocol, since a
> decade. Recent attacks (e.g., the POODLE issue #1152789) take advantage of
> them, negating the secrecy offerings of the protocol. The RC4 cipher is also
> considered cryptographically broken, and new attacks against its secrecy are
> made known every year (#1207101). Since attacks are only getting better, we
> should disable these broken protocols and ciphers system wide.
> 
> == Scope ==
> * Proposal owners: The crypto-policies package has to be updated to
> accommodate the new policies.
> * Other developers: Should verify that their package works after the change.
> That is that their package doesn't require only SSL 3.0, or only the RC4
> ciphersuites. If their package requires these options due to design, they
> should consider contacting upstream to update the software. If that is not
> possible, or this support is needed to contact legacy servers, they should
> consider not using the system wide policy, and make that apparent in the
> package documentation.
> * Release engineering: This feature doesn't require coordination with release
> engineering.
> * Policies and guidelines: The packaging guidelines do not need to be
> changed.
> 

>From the Change proposal, Upgrade/Compatibility Impact:
"After this change, there may be no impact on compatibility after upgrade, if the local network of the user contains servers which only support the removed protocols or ciphers."

I suspect this should be updated to note that there IS a clear compatibility change with this feature. Or is this supposed to be stating that upgrades will NOT disable the existing ciphers?

Basically, there are two options that we can take for upgrades from F22:
1) Upgrade disables the legacy protocols and users must manually re-enable them if they need to.
2) Upgrade maintains whatever protocols the user had enabled in F22.


Personally, I prefer option 1) so that upgraded systems and freshly-installed systems are the same. Either way, this needs to be clearly stated in the Upgrade section of the Change, please.



> --
> Jan Kuřík
> _______________________________________________
> devel-announce mailing list
> devel-announce at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel-announce
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

More information about the devel mailing list