crypto-policies
No description set
- Devel package for openSUSE:Factory
-
6
derived packages
- Links to openSUSE:Factory / crypto-policies
- Has a link diff
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout security:tls/crypto-policies && cd $_
- Create Badge
Refresh
Refresh
Source Files
Filename | Size | Changed |
---|---|---|
README.SUSE | 0000000221 221 Bytes | |
_link | 0000000124 124 Bytes | |
_service | 0000000560 560 Bytes | |
_servicedata | 0000000257 257 Bytes | |
crypto-policies-FIPS.patch | 0000003070 3 KB | |
crypto-policies-no-build-manpages.patch | 0000001278 1.25 KB | |
crypto-policies-policygenerators.patch | 0000001438 1.4 KB | |
crypto-policies-rpmlintrc | 0000000098 98 Bytes | |
crypto-policies-supported.patch | 0000001419 1.39 KB | |
crypto-policies.7.gz | 0000006770 6.61 KB | |
crypto-policies.changes | 0000010659 10.4 KB | |
crypto-policies.spec | 0000009824 9.59 KB | |
fedora-crypto-policies-20230420.3d08ae7.tar.gz | 0000085811 83.8 KB | |
update-crypto-policies.8.gz | 0000004179 4.08 KB |
Revision 15 (latest revision is 31)
Martin Pluskal (pluskalm)
accepted
request 1086482
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 15)
- Update the update-crypto-policies(8) man pages and README.SUSE to mention the supported back-end policies. [bsc#1209998] * Add crypto-policies-supported.patch - Update to version 20230420.3d08ae7: * openssl, alg_lists: add brainpool support * openssl: set Groups explicitly * codespell: ignore aNULL * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960 * sequoia: add separate rpm-sequoia backend * crypto-policies.7: state upfront that FUTURE is not so interoperable * Makefile: update for asciidoc 10 * Skip the LibreswanGenerator and SequoiaGenerator: - Add crypto-policies-policygenerators.patch * Remove crypto-policies-test_supported_modules_only.patch * Rebase crypto-policies-no-build-manpages.patch - Update to version 20221214.a4c31a3: * bind: expand the list of disableable algorithms * libssh: Add support for openssh fido keys * .gitlab-ci.yml: install krb5-devel for krb5-config * sequoia: check using sequoia-policy-config-check * sequoia: introduce new back-end * Makefile: support overriding asciidoc executable name * openssh: make none and auto explicit and different * openssh: autodetect and allow forcing RequiredRSASize presence/name * openssh: remove _pre_8_5_ssh * pylintrc: update * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..." * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"...
Comments 2
The LEGACY crypto-policy no longer works as documented as of OpenSSL 3.1. In order to have TLSv1.0 and TLSv1.1 work with OpenSSL 3.1 @SECLEVEL=0 is required.
I already had added the legacy provider to openssl.cnf when OpenSSL 3.0 replaced 1.1.1 in tumbleweed in order to keep OpenVPN working, so I cannot say for sure but I would not be the least bit surprised if that is also required for TLS < v1.2 to function in practice.
Also, prior to the transition to OpenSSL 3.1, the DEFAULT crypto-policy did not enforce the documented requirement of TLS >= v1.2. It was only with the transition from OpenSSL 3.0 to 3.1 that I switched my system's crypto-policy from DEFAULT to LEGACY to no avail in an attempt to unbreak the connection to a POP3S server which only supports TLSv1.0.
Thanks for your comments! Could you open a bug report in bugzilla.opensuse.org with as much information as possible and the steps to reproduce. TIA.