crypto-policies

Edit Package crypto-policies
No description set
Refresh
Refresh
Source Files (show unmerged sources)
Filename Size Changed
README.SUSE 0000000171 171 Bytes
_service 0000000560 560 Bytes
_servicedata 0000000257 257 Bytes
crypto-policies-FIPS.patch 0000006630 6.47 KB
crypto-policies-no-build-manpages.patch 0000001278 1.25 KB
crypto-policies-nss.patch 0000002002 1.96 KB
crypto-policies-policygenerators.patch 0000001521 1.49 KB
crypto-policies-pylint.patch 0000000595 595 Bytes
crypto-policies-revert-rh-allow-sha1-signatures.patch 0000017941 17.5 KB
crypto-policies-rpmlintrc 0000000098 98 Bytes
crypto-policies-supported.patch 0000001371 1.34 KB
crypto-policies.7.gz 0000007435 7.26 KB
crypto-policies.changes 0000016394 16 KB
crypto-policies.spec 0000011770 11.5 KB
fedora-crypto-policies-20240201.9f501f3.tar.gz 0000091940 89.8 KB
fips-finish-install.8.gz 0000000949 949 Bytes
fips-mode-setup.8.gz 0000001781 1.74 KB
update-crypto-policies.8.gz 0000004153 4.06 KB
Latest Revision
Pedro Monreal Gonzalez's avatar Pedro Monreal Gonzalez (pmonrealgonzalez) accepted request 1154669 from Pedro Monreal Gonzalez's avatar Pedro Monreal Gonzalez (pmonrealgonzalez) (revision 31)
- Update to version 20240201.9f501f3:
  * .gitlab-ci.yml: install sequoia-policy-config
  * java: disable ChaCha20-Poly1305 where applicable
  * fips-mode-setup: make sure ostree is detected in chroot
  * fips-finish-install: make sure ostree is detected in chroot
  * TEST-PQ: enable X25519-KYBER768 / P384-KYBER768 for openssl
  * TEST-PQ: add a no-op subpolicy
  * update-crypto-policies: Keep mid-sentence upper case
  * fips-mode-setup: Write error messages to stderr
  * fips-mode-setup: Fix some shellcheck warnings
  * fips-mode-setup: Fix test for empty /boot
  * fips-mode-setup: Avoid 'boot=UUID=' if /boot == /
  * Update man pages
  * Rebase patches:
    - crypto-policies-FIPS.patch
    - crypto-policies-revert-rh-allow-sha1-signatures.patch

- Update to version 20231108.adb5572b:
  * Print matches in syntax deprecation warnings
  * Restore support for scoped ssh_etm directives
  * fips-mode-setup: Fix usage with --no-bootcfg
  * turn ssh_etm into an etm@SSH tri-state
  * fips-mode-setup: increase chroot-friendliness
  * bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx
  * pylintrc: use-implicit-booleaness-not-comparison-to-*
Comments 2

Anonymous Checkouts's avatar

The LEGACY crypto-policy no longer works as documented as of OpenSSL 3.1. In order to have TLSv1.0 and TLSv1.1 work with OpenSSL 3.1 @SECLEVEL=0 is required.

I already had added the legacy provider to openssl.cnf when OpenSSL 3.0 replaced 1.1.1 in tumbleweed in order to keep OpenVPN working, so I cannot say for sure but I would not be the least bit surprised if that is also required for TLS < v1.2 to function in practice.

Also, prior to the transition to OpenSSL 3.1, the DEFAULT crypto-policy did not enforce the documented requirement of TLS >= v1.2. It was only with the transition from OpenSSL 3.0 to 3.1 that I switched my system's crypto-policy from DEFAULT to LEGACY to no avail in an attempt to unbreak the connection to a POP3S server which only supports TLSv1.0.


Pedro Monreal Gonzalez's avatar

Thanks for your comments! Could you open a bug report in bugzilla.opensuse.org with as much information as possible and the steps to reproduce. TIA.

openSUSE Build Service is sponsored by