crypto-policies
No description set
- Devel package for openSUSE:Factory
-
6
derived packages
- Links to openSUSE:Factory / crypto-policies
- Has a link diff
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout security:tls/crypto-policies && cd $_ - Create Badge
Refresh
Refresh
Source Files
| Filename | Size | Changed |
|---|---|---|
| BSI.pol | 0000004157 4.06 KB | |
| README.SUSE | 0000000171 171 Bytes | |
| _link | 0000000124 124 Bytes | |
| _service | 0000000560 560 Bytes | |
| _servicedata | 0000000257 257 Bytes | |
| crypto-policies-FIPS.patch | 0000005890 5.75 KB | |
| crypto-policies-no-build-manpages.patch | 0000001278 1.25 KB | |
| crypto-policies-policygenerators.patch | 0000001443 1.41 KB | |
| crypto-policies-pylint.patch | 0000000595 595 Bytes | |
|
crypto-policies-revert-rh-allow-sha1-signatures.pa |
0000015395 15 KB | |
| crypto-policies-rpmlintrc | 0000000098 98 Bytes | |
| crypto-policies-supported.patch | 0000001371 1.34 KB | |
| crypto-policies.7.gz | 0000006937 6.77 KB | |
| crypto-policies.changes | 0000012771 12.5 KB | |
| crypto-policies.spec | 0000011320 11.1 KB | |
| fedora-crypto-policies-20230614.5f3458e.tar.gz | 0000085187 83.2 KB | |
| fips-finish-install.8.gz | 0000000825 825 Bytes | |
| fips-mode-setup.8.gz | 0000001648 1.61 KB | |
| update-crypto-policies.8.gz | 0000004154 4.06 KB |
Revision 21 (latest revision is 31)
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 1108344
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 21)
- Tests: Fix pylint versioning for TW and fix the parsing of the policygenerators to account for the commented lines correctly. * Add crypto-policies-pylint.patch * Rebase crypto-policies-policygenerators.patch - FIPS: Adapt the fips-mode-setup script to use the pbl command from the perl-Bootloader package to replace grubby. Add a note for transactional systems [jsc#PED-4578]. * Rebase crypto-policies-FIPS.patch
Comments 2
The LEGACY crypto-policy no longer works as documented as of OpenSSL 3.1. In order to have TLSv1.0 and TLSv1.1 work with OpenSSL 3.1 @SECLEVEL=0 is required.
I already had added the legacy provider to openssl.cnf when OpenSSL 3.0 replaced 1.1.1 in tumbleweed in order to keep OpenVPN working, so I cannot say for sure but I would not be the least bit surprised if that is also required for TLS < v1.2 to function in practice.
Also, prior to the transition to OpenSSL 3.1, the DEFAULT crypto-policy did not enforce the documented requirement of TLS >= v1.2. It was only with the transition from OpenSSL 3.0 to 3.1 that I switched my system's crypto-policy from DEFAULT to LEGACY to no avail in an attempt to unbreak the connection to a POP3S server which only supports TLSv1.0.
Thanks for your comments! Could you open a bug report in bugzilla.opensuse.org with as much information as possible and the steps to reproduce. TIA.