System crypto policies vs gnutls upstream compatibility
Daniel P. Berrange
berrange at redhat.com
Mon Feb 9 15:10:07 UTC 2015
There have been many bugs filed against apps using crypto libraries to
update them to use the system crypto policy by default. I'm currently
looking at how to address the one filed against GTK-VNC
https://bugzilla.redhat.com/show_bug.cgi?id=1179301
The current GTK-VNC code sets the priority conditionally depending on
wht VNC auth mech chosen earlier:
gnutls_priority_set_direct(priv->tls_session,
anonDH ? "NORMAL" : "NORMAL:+ANON-DH",
NULL)
So I can't just use gnutls_set_default_priority(), unless there's a way
to ask for "+ANON-DH" separately afterwards ?
At first I thought I could just replace "NORMAL" with "@SYSTEM". Looking
at the GNUTLS upstream code though, the "@SYSTEM" string is only ever
defined in the external crypto policy file and GNUTLS does not appear to
install any such file by default. So I can't use "@SYSTEM" unconditionally
when building against newer gnutls versions, as I can't rely on it existing
even ifi gnutls is new enough.
So it seems like either these crypto policy changes require apps to carry
Fedora/RHEL specific patches, or to pass in the default crypto policy
name as a configure arg perhaps & rely on distro maintainers to set it
when needed (eg ./configure --crypto-policy=@SYSTEM).
Anyone have any better suggestions for cleanly supporting the new system
crypto policies in upstream apps while maintaining compat across distros
and old gnutls versions, assunming gnutls_set_default_priority is out of
the question?
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the security
mailing list