Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 1784008 Details for
Bug 1960700
update LEGACY policy for OpenSSL to SECLEVEL1 from SECLEVE2
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh92 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Proposed patch
seclevel1-for-LEGACY.patch (text/plain), 6.50 KB, created by
Alexander Sosedkin
on 2021-05-17 10:33:24 UTC
(
hide
)
Description:
Proposed patch
Filename:
MIME Type:
Creator:
Alexander Sosedkin
Created:
2021-05-17 10:33:24 UTC
Size:
6.50 KB
patch
obsolete
>commit bbed3b1a5354cf191db46143421176dd1a8ce6bf >Author: Alexander Sosedkin <asosedkin@redhat.com> >Date: Mon May 17 12:30:21 2021 +0200 > > RHEL-9: LEGACY must have SECLEVEL=1, enabling SHA1 > > Request comes from https://bugzilla.redhat.com/show_bug.cgi?id=1960700 > >diff --git a/crypto-policies.7.txt b/crypto-policies.7.txt >index ab387e8..15a5882 100644 >--- a/crypto-policies.7.txt >+++ b/crypto-policies.7.txt >@@ -311,7 +311,12 @@ predefined crypto policies: > > * *OpenSSL*: The minimum length of the keys and some other parameters > are enforced by the @SECLEVEL value which does not provide a fine >-granularity. The list of *TLS* ciphers is not generated as an exact list >+granularity. >+In RHEL-9, SECLEVEL=1 differs from SECLEVEL=2 only by SHA-1 support. >+SECLEVEL=0 is not enableable, meaning key sizes less than 2048 >+are not enableable. >+ >+* *OpenSSL*: The list of *TLS* ciphers is not generated as an exact list > but by subtracting from all the supported ciphers for the enabled key > exchange methods. For that reason there is no way to disable a random cipher. > In particular all *AES-128* ciphers are disabled if the *AES-128-GCM* is not >diff --git a/python/policygenerators/openssl.py b/python/policygenerators/openssl.py >index ea37e00..f838f2a 100644 >--- a/python/policygenerators/openssl.py >+++ b/python/policygenerators/openssl.py >@@ -77,17 +77,19 @@ class OpenSSLGenerator(ConfigGenerator): > s = '' > p = policy.enabled > ip = policy.disabled >- # We cannot separate RSA strength from DH params. >+ >+ # RHEL-9 is... interesting here. >+ # keys smaller than 2048 are no longer selectable at all. >+ # SECLEVEL=1 differs from SECLEVEL=2 by SHA-1 support. >+ # LEGACY must have SECLEVEL=1, DEFAULT must have SECLEVEL=2 > min_dh_size = policy.integers['min_dh_size'] > min_rsa_size = policy.integers['min_rsa_size'] >- if min_dh_size < 1023 or min_rsa_size < 1023: >- s = cls.append(s, '@SECLEVEL=0') >- elif min_dh_size < 2048 or min_rsa_size < 2048: >- s = cls.append(s, '@SECLEVEL=1') >- elif min_dh_size < 3072 or min_rsa_size < 3072: >- s = cls.append(s, '@SECLEVEL=2') >+ if min_dh_size >= 3072 or min_rsa_size >= 3072: >+ s = cls.append(s, '@SECLEVEL=3') # and SHA-1 gets disabled >+ elif 'SHA1' not in p['hash']: >+ s = cls.append(s, '@SECLEVEL=2') # 2048 min, no SHA-1 > else: >- s = cls.append(s, '@SECLEVEL=3') >+ s = cls.append(s, '@SECLEVEL=1') # 2048 min, SHA-1 > > for i in p['key_exchange']: > try: >diff --git a/tests/outputs/EMPTY-openssl.txt b/tests/outputs/EMPTY-openssl.txt >index 9d54856..c533130 100644 >--- a/tests/outputs/EMPTY-openssl.txt >+++ b/tests/outputs/EMPTY-openssl.txt >@@ -1 +1 @@ >-@SECLEVEL=0:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20-POLY1305:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 >\ No newline at end of file >+@SECLEVEL=2:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20-POLY1305:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 >\ No newline at end of file >diff --git a/tests/outputs/EMPTY-opensslcnf.txt b/tests/outputs/EMPTY-opensslcnf.txt >index 430f736..6dfd0fe 100644 >--- a/tests/outputs/EMPTY-opensslcnf.txt >+++ b/tests/outputs/EMPTY-opensslcnf.txt >@@ -1,4 +1,4 @@ >-CipherString = @SECLEVEL=0:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20-POLY1305:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 >+CipherString = @SECLEVEL=2:-kPSK:-kDHEPSK:-kECDHEPSK:-kRSAPSK:-kEECDH:-kRSA:-aRSA:-aDSS:-AES256:-AES128:-CHACHA20-POLY1305:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-AESCCM:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 > Ciphersuites = > MinProtocol = > SignatureAlgorithms = >\ No newline at end of file >diff --git a/tests/outputs/LEGACY-openssl.txt b/tests/outputs/LEGACY-openssl.txt >index 8db06ca..40c9494 100644 >--- a/tests/outputs/LEGACY-openssl.txt >+++ b/tests/outputs/LEGACY-openssl.txt >@@ -1 +1 @@ >-@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 >\ No newline at end of file >+@SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 >\ No newline at end of file >diff --git a/tests/outputs/LEGACY-opensslcnf.txt b/tests/outputs/LEGACY-opensslcnf.txt >index 80f92d5..21db960 100644 >--- a/tests/outputs/LEGACY-opensslcnf.txt >+++ b/tests/outputs/LEGACY-opensslcnf.txt >@@ -1,4 +1,4 @@ >-CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 >+CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 > Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 > MinProtocol = TLSv1.2 > MaxProtocol = TLSv1.3 >diff --git a/tests/outputs/LEGACY:AD-SUPPORT-openssl.txt b/tests/outputs/LEGACY:AD-SUPPORT-openssl.txt >index 8db06ca..40c9494 100644 >--- a/tests/outputs/LEGACY:AD-SUPPORT-openssl.txt >+++ b/tests/outputs/LEGACY:AD-SUPPORT-openssl.txt >@@ -1 +1 @@ >-@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 >\ No newline at end of file >+@SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 >\ No newline at end of file >diff --git a/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt b/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt >index 80f92d5..21db960 100644 >--- a/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt >+++ b/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt >@@ -1,4 +1,4 @@ >-CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 >+CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 > Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 > MinProtocol = TLSv1.2 > MaxProtocol = TLSv1.3
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1784008">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1960700
: 1784008