Re: F37 Proposal: Strong crypto settings: phase 3, forewarning 1/2 (System-Wide Change proposal)

Mon, 02 May 2022 10:34:04 -0700 

Hi,


On Fri, 2022-04-29 at 17:49 -0400, Ben Cotton wrote:

Changes like this have been very disruptive in the past because they
haven't been completely thought through.

Can we please make 100% sure these policies are not going to break
things like VPN clients in the way that we have before.


This is the reason why the proposal contains extensive methods to test
whether things are going to break by modifying the crypto-policy or using
bpftrace. Unfortunately there are hundreds of packages that depend on
cryptographic libraries, and millions of different configurations out there.
We can’t know ahead of time which ones of them are going to break, but the
proposal provides tools and a long transition period to identify and fix
them.



Dan Čermák <dan.cer...@cgc-instruments.com> wrote:

They are going to break things, but Ubuntu 22.04 deprecated SHA1
signatures already, so it's very likely that a good chunk of the fallout
will be cleared by the time Fedora 38 and 39 ship.


This isn’t going to help our cause, but this isn’t correct from what I can
see. The Ubuntu 22.04 release notes [1] say:

"In particular, certificates using SHA1 or MD5 as hash algorithms are now
invalid under the default security level.”

Note that this only affects *certificates*, while our changes affect *all
signatures made with SHA1*, not just those in certificates.

I’ve also checked the published source package for Ubuntu, and it seems they
are just setting SECLEVEL to 2 plus raising the default TLS version to 1.2
when SECLEVEL is 2.

In conclusion: Ubuntu isn’t ahead of us here.

 [1]: https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668


--
Clemens Lang
RHEL Crypto Team
Red Hat


_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to