crypto-policies
No description set
- Devel package for openSUSE:Factory
-
6
derived packages
- Links to openSUSE:Factory / crypto-policies
- Has a link diff
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout security:tls/crypto-policies && cd $_
- Create Badge
Refresh
Refresh
Source Files
Filename | Size | Changed |
---|---|---|
README.SUSE | 0000000129 129 Bytes | |
_link | 0000000124 124 Bytes | |
_service | 0000000560 560 Bytes | |
_servicedata | 0000000257 257 Bytes | |
crypto-policies-FIPS.patch | 0000002917 2.85 KB | |
crypto-policies-no-build-manpages.patch | 0000001277 1.25 KB | |
crypto-policies-test_supported_modules_only.patch | 0000000401 401 Bytes | |
crypto-policies.7.gz | 0000006127 5.98 KB | |
crypto-policies.changes | 0000007442 7.27 KB | |
crypto-policies.spec | 0000008348 8.15 KB | |
fedora-crypto-policies-20210917.c9d86d1.tar.gz | 0000075022 73.3 KB | |
update-crypto-policies.8.gz | 0000004018 3.92 KB |
Revision 14 (latest revision is 31)
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 921336
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 14)
- Remove the scripts and documentation regarding fips-finish-install and test-fips-setup * Add crypto-policies-FIPS.patch - Update to version 20210917.c9d86d1: * openssl: fix disabling ChaCha20 * pacify pylint 2.11: use format strings * pacify pylint 2.11: specify explicit encoding * fix minor things found by new pylint * update-crypto-policies: --check against regenerated * update-crypto-policies: fix --check's walking order * policygenerators/gnutls: revert disabling DTLS0.9... * policygenerators/java: add javasystem backend * LEGACY: bump 1023 key size to 1024 * cryptopolicies: fix 'and' in deprecation warnings * *ssh: condition ecdh-sha2-nistp384 on SECP384R1 * nss: hopefully the last fix for nss sigalgs check * cryptopolicies: Python 3.10 compatibility * nss: postponing check + testing at least something * Rename 'policy modules' to 'subpolicies' * validation.rules: fix a missing word in error * cryptopolicies: raise errors right after warnings * update-crypto-policies: capitalize warnings * cryptopolicies: syntax-precheck scope errors * .gitlab-ci.yml, Makefile: enable codespell * all: fix several typos * docs: don't leave zero TLS/DTLS protocols on * openssl: separate TLS/DTLS MinProtocol/MaxProtocol * alg_lists: order protocols new-to-old for consistency * alg_lists: max_{d,}tls_version
Comments 2
The LEGACY crypto-policy no longer works as documented as of OpenSSL 3.1. In order to have TLSv1.0 and TLSv1.1 work with OpenSSL 3.1 @SECLEVEL=0 is required.
I already had added the legacy provider to openssl.cnf when OpenSSL 3.0 replaced 1.1.1 in tumbleweed in order to keep OpenVPN working, so I cannot say for sure but I would not be the least bit surprised if that is also required for TLS < v1.2 to function in practice.
Also, prior to the transition to OpenSSL 3.1, the DEFAULT crypto-policy did not enforce the documented requirement of TLS >= v1.2. It was only with the transition from OpenSSL 3.0 to 3.1 that I switched my system's crypto-policy from DEFAULT to LEGACY to no avail in an attempt to unbreak the connection to a POP3S server which only supports TLSv1.0.
Thanks for your comments! Could you open a bug report in bugzilla.opensuse.org with as much information as possible and the steps to reproduce. TIA.