On Tue, Jan 6, 2015 at 9:20 AM, Nikos Mavrogiannopoulos
<n...@redhat.com> wrote:
Hello,
I've created a transition tracker to system-wide crypto policy at:
https://bugzilla.redhat.com/show_bug.cgi?id=1179209
Currently it contains bugs filled against openssl and gnutls
applications in Fedora. If you use some application which utilizes
SSL/TLS and isn't included in the tracker feel free to request it use
the policy, and include a link to the bug report in the tracker.
Hi,
This looks like a big improvement. I have a few questions about what to
expect @SYSTEM to include in F22:
* Will the system priority string include %COMPAT?
* Will it include %LATEST_RECORD_VERSION? (WebKitGTK+ has been using
this at your suggestion, since servers started blocking SSLv3 record
versions.)
* Given that GnuTLS 3.4 seems unlikely to be stable before F22, will it
include !VERS-SSL3.0?
* And what about !ARCFOUR-128?
Now a hypothetical: say some new attack is published and some new set
of ciphersuites is considered weak. Can applications trust that the
system-provided string will always be secure (or represent a reasonable
security-compatibility trade-off)? Of course that might depend on the
severity of the attack, so more specifically: if POODLE were to be
discovered one month after F22 is released, would @SYSTEM be
immediately updated to include !VERS-SSL3.0, or would a change like
that be delayed until the next Fedora release? If the change was
delayed, would application-specific patches to change the default
priority string be permitted?
Lastly, one criticism: I'm really unsure why any of this is being
treated as Fedora-specific. Other distributions should benefit from
this work as well. In particular, an upstream application developer
needs some way to specify "secure defaults please and thank you" and it
looks like gnutls_set_default_priority() will be the way to get that on
Fedora. But upstream projects would be amiss to use the default
priority, which is a shame. I'd really like for upstream projects to
not have to worry about the priority string unless they choose to.
Thanks,
Michael
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
