proposed text for crypto-policies in Packaging Guidelines
Nikos Mavrogiannopoulos
nmav at redhat.com
Fri Aug 8 08:20:29 UTC 2014
Hello,
I plan to submit the following text for packaging guidelines regarding
crypto policies. Are there any comments or suggestions?
Since Fedora 21 (http://fedoraproject.org/wiki/Changes/CryptoPolicy)
there are policies for the usage of SSL and TLS cryptographic protocols
that are enforced system-wide. Each application being added in Fedora
must be checked to comply with the policies. Currently the policies are
restricted to applications using GnuTLS and OpenSSL.
* OpenSSL applications: If the application provides a configuration
file that allows to modify the cipher list string, ensure that the
default is "PROFILE=SYSTEM". Otherwise, if the application doesn't have
a configuration file, ensure that there is no default cipher list
specified, or that the default list is set as "PROFILE=SYSTEM".
* GnuTLS applications: If the application provides a configuration file
that allows to modify the cipher priority string, ensure that the
default is "@SYSTEM". Otherwise, if the application doesn't have a
configuration file, ensure that it uses gnutls_set_default_priority(),
or that the default priority string is "@SYSTEM".
Applications utilizing other cryptographic libraries do not adhere to
the system wide crypto policies.
regards,
Nikos
More information about the security
mailing list