System crypto policies vs gnutls upstream compatibility
Nikos Mavrogiannopoulos
nmav at redhat.com
Mon Feb 9 16:18:22 UTC 2015
On Mon, 2015-02-09 at 15:10 +0000, Daniel P. Berrange wrote:
> There have been many bugs filed against apps using crypto libraries to
> update them to use the system crypto policy by default. I'm currently
> looking at how to address the one filed against GTK-VNC
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1179301
>
> The current GTK-VNC code sets the priority conditionally depending on
> wht VNC auth mech chosen earlier:
>
> gnutls_priority_set_direct(priv->tls_session,
> anonDH ? "NORMAL" : "NORMAL:+ANON-DH",
> NULL)
>
> So I can't just use gnutls_set_default_priority(), unless there's a way
> to ask for "+ANON-DH" separately afterwards ?
> At first I thought I could just replace "NORMAL" with "@SYSTEM". Looking
> at the GNUTLS upstream code though, the "@SYSTEM" string is only ever
> defined in the external crypto policy file and GNUTLS does not appear to
> install any such file by default. So I can't use "@SYSTEM" unconditionally
> when building against newer gnutls versions, as I can't rely on it existing
> even ifi gnutls is new enough.
The @SYSTEM keyword for gnutls is available in Fedora systems. It is
made available by gnutls and crypto-policies in fedora. You can test it
in F21 by "gnutls-cli --priority @SYSTEM --list".
However, if you don't want to depend on it, you could do something like:
if (!anonDH)
set_default_priority()
else
set_direct("NORMAL:+ANON-DH");
(most probably you need to add +ANON-ECDH as well).
Using anonymous diffie hellman is already something not allowed by the
policy, so in that case it wouldn't matter much how hard you try to
stick with it.
regards,
Nikos
More information about the security
mailing list