packages/crypto-policies
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
crypto-policies/backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch
yixiangzhike 75927e6f73 backport upstream patch to add more notes for crypto-policies exceptions 
Signed-off-by: yixiangzhike <yixiangzhike007@163.com>
2022-10-20 02:49:00 +00:00

57 lines
2.1 KiB
Diff
Raw Blame History

From c40cedee6e5225dc72e590f9ff0282d876a2e5d5 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 2 Jul 2020 15:40:01 +0200
Subject: [PATCH] Describe some of the quirks of the back-end config
generators.
---
crypto-policies.7.txt | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/crypto-policies.7.txt b/crypto-policies.7.txt
index 0971935..2b583b8 100644
--- a/crypto-policies.7.txt
+++ b/crypto-policies.7.txt
@@ -277,7 +277,7 @@ COMMANDS
NOTES
-----
-*Exceptions:*
+*Exceptions*
* *Go-language* applications do not yet follow the system-wide policy.
* *GnuPG-2* application does not follow the system-wide policy.
@@ -323,6 +323,29 @@ of individual applications:
* all *ECC* curves incompatible with *TLS 1.3*, including secp256k1
* *IKEv1*
+*Notable irregularities in the individual configuration generators*
+
+* *OpenSSL*: The minimum length of the keys and some other parameters
+are enforced by the @SECLEVEL value which does not provide a fine
+granularity. The list of *TLS* ciphers is not generated as an exact list
+but by subtracting from all the supported ciphers for the enabled key
+exchange methods. For that reason there is no way to disable a random cipher.
+In particular all *AES-128* ciphers are disabled if the *AES-128-GCM* is not
+present in the list; all *AES-256* ciphers are disabled if the *AES-256-GCM*
+is not present. The *CBC* ciphers are disabled if there isn't *HMAC-SHA1*
+in the hmac list and *AES-256-CBC* in the cipher list. To disable the *CCM*
+ciphers both *AES-128-CCM* and *AES-256-CCM* must not be present in the cipher
+list.
+
+* *GnuTLS*: The minimum length of the keys and some other parameters
+are enforced by min-verification-profile setting in the *GnuTLS* configuration
+file which does not provide fine granularity.
+
+* *OpenSSH*: *DH* group 1 is always disabled on server even if the policy
+allows 1024 bit *DH* groups in general. The OpenSSH configuration option
+HostKeyAlgorithms is set only for the *SSH* server as otherwise the
+handling of the existing known hosts entries would be broken on client.
+
HISTORY
-------
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink