crypto-policies
No description set
- Devel package for openSUSE:Factory
-
6
derived packages
- Links to openSUSE:Factory / crypto-policies
- Has a link diff
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout security:tls/crypto-policies && cd $_ - Create Badge
Refresh
Refresh
Source Files
| Filename | Size | Changed |
|---|---|---|
| README.SUSE | 0000000135 135 Bytes | |
| _service | 0000000602 602 Bytes | |
| _servicedata | 0000000257 257 Bytes | |
| crypto-policies-asciidoc.patch | 0000000745 745 Bytes | |
| crypto-policies-test_supported_modules_only.patch | 0000000386 386 Bytes | |
| crypto-policies-typos.patch | 0000001919 1.87 KB | |
| crypto-policies.changes | 0000002088 2.04 KB | |
| crypto-policies.spec | 0000007657 7.48 KB | |
| fedora-crypto-policies-20210118.b21c811.obscpio | 0000259083 253 KB | |
| fedora-crypto-policies.obsinfo | 0000000123 123 Bytes |
Revision 7 (latest revision is 31)
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 868718
from
Dominique Leuenberger (dimstar)
(revision 7)
Let's use a real _service file.
NOTE: the version is a small downgrade, but that's because I use %cd (aka commit date) as version identifier.
in the _service file I used the same commit date, so in fact this is the same source.
- Convert to use a proper git source _service:
+ To update, one just needs to update the commit/revision in the
_service file and run `osc service dr`.
+ The version of the package is defined by the commit date of the
revision, followed by the abbreviated git hash (The same
revision used before results thus in a downgrade to 20210118,
but as this is a alltime new package, this is acceptable.
Comments 2
The LEGACY crypto-policy no longer works as documented as of OpenSSL 3.1. In order to have TLSv1.0 and TLSv1.1 work with OpenSSL 3.1 @SECLEVEL=0 is required.
I already had added the legacy provider to openssl.cnf when OpenSSL 3.0 replaced 1.1.1 in tumbleweed in order to keep OpenVPN working, so I cannot say for sure but I would not be the least bit surprised if that is also required for TLS < v1.2 to function in practice.
Also, prior to the transition to OpenSSL 3.1, the DEFAULT crypto-policy did not enforce the documented requirement of TLS >= v1.2. It was only with the transition from OpenSSL 3.0 to 3.1 that I switched my system's crypto-policy from DEFAULT to LEGACY to no avail in an attempt to unbreak the connection to a POP3S server which only supports TLSv1.0.
Thanks for your comments! Could you open a bug report in bugzilla.opensuse.org with as much information as possible and the steps to reproduce. TIA.