crypto-policies
No description set
- Devel package for openSUSE:Factory
-
6
derived packages
- Links to openSUSE:Factory / crypto-policies
- Has a link diff
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout security:tls/crypto-policies && cd $_
- Create Badge
Refresh
Refresh
Source Files
Filename | Size | Changed |
---|---|---|
README.SUSE | 0000000171 171 Bytes | |
_link | 0000000124 124 Bytes | |
_service | 0000000560 560 Bytes | |
_servicedata | 0000000257 257 Bytes | |
crypto-policies-FIPS.patch | 0000006181 6.04 KB | |
crypto-policies-no-build-manpages.patch | 0000001278 1.25 KB | |
crypto-policies-nss.patch | 0000002002 1.96 KB | |
crypto-policies-policygenerators.patch | 0000001521 1.49 KB | |
crypto-policies-pylint.patch | 0000000595 595 Bytes | |
crypto-policies-revert-rh-allow-sha1-signatures.pa |
0000017009 16.6 KB | |
crypto-policies-rpmlintrc | 0000000098 98 Bytes | |
crypto-policies-supported.patch | 0000001371 1.34 KB | |
crypto-policies.7.gz | 0000007322 7.15 KB | |
crypto-policies.changes | 0000014409 14.1 KB | |
crypto-policies.spec | 0000011432 11.2 KB | |
fedora-crypto-policies-20230920.570ea89.tar.gz | 0000090127 88 KB | |
fips-finish-install.8.gz | 0000000950 950 Bytes | |
fips-mode-setup.8.gz | 0000001783 1.74 KB | |
update-crypto-policies.8.gz | 0000004154 4.06 KB |
Revision 23 (latest revision is 31)
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 1114283
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 23)
Update to latest version and update jira tracking number from jsc#PED-4578 to jsc#PED-5041
Comments 2
The LEGACY crypto-policy no longer works as documented as of OpenSSL 3.1. In order to have TLSv1.0 and TLSv1.1 work with OpenSSL 3.1 @SECLEVEL=0 is required.
I already had added the legacy provider to openssl.cnf when OpenSSL 3.0 replaced 1.1.1 in tumbleweed in order to keep OpenVPN working, so I cannot say for sure but I would not be the least bit surprised if that is also required for TLS < v1.2 to function in practice.
Also, prior to the transition to OpenSSL 3.1, the DEFAULT crypto-policy did not enforce the documented requirement of TLS >= v1.2. It was only with the transition from OpenSSL 3.0 to 3.1 that I switched my system's crypto-policy from DEFAULT to LEGACY to no avail in an attempt to unbreak the connection to a POP3S server which only supports TLSv1.0.
Thanks for your comments! Could you open a bug report in bugzilla.opensuse.org with as much information as possible and the steps to reproduce. TIA.