Bug 1179271

Summary: Utilize system-wide crypto-policies
Product: [Fedora] Fedora Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: systemtapAssignee: Frank Ch. Eigler <fche>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: brolley, dsmith, fche, jistone, lberk, mjw, nathans, scox, wcohen
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-09 14:59:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1157720    
Bug Blocks: 1179209    

Description Nikos Mavrogiannopoulos 2015-01-06 14:19:14 UTC 
Please convert to use the system's crypto policy for SSL and TLS:
https://fedoraproject.org/wiki/Packaging:CryptoPolicies

If this program is compiled against gnutls, change the default priority string to be "@SYSTEM" or to use gnutls_set_default_priority().

If this program is compiled against openssl, and there is no default cipher list specified, you don't need to modify it. Otherwise replace the default cipher list with "PROFILE=SYSTEM".

In both cases please verify that the application uses the system's crypto policies.

If the package is already using the system-wide crypto policies, or it does not use SSL or TLS, no action is required, the bug can simply be closed.
Comment 1 Josh Stone 2015-01-06 17:37:21 UTC 
The wiki states that NSS is still waiting on this bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1009429
Comment 2 Nikos Mavrogiannopoulos 2015-01-07 14:58:57 UTC 
I reported this bug, because 'repoquery --whatrequires openssl' reports systemtap-server as depending on openssl. If that's not the case and it only needs NSS, we can ignore that issue until #1157720 is resolved.
Comment 3 Josh Stone 2015-01-07 17:02:26 UTC 
Ah, seems we use the openssl command to generate a certificate:
https://sourceware.org/git/gitweb.cgi?p=systemtap.git;a=blob;f=stap-serverd.cxx;h=422a3e17055e3a31ea1668653f85dc37ec43c77c;hb=HEAD#l1589

I think ciphers are irrelevant in this case, but please correct me if anything needs to change in that command line.

I'm not sure why we don't use the NSS API or tools to generate the cert, but this isn't my area.  David, did you consider that?  (assuming it's possible...)
Comment 4 Dave Brolley 2015-01-07 17:23:20 UTC 
It is possible to create certificates using the NSS API. The server does this for the SSL certificate within gen_cert_db() in nsscommon.cxx. This function could be factored a bit (it assumes that only the SSL certificate is needed) so that the common bits could also be used to generate the mok certificate.
Comment 5 Frank Ch. Eigler 2015-01-07 17:25:25 UTC 
Nikos, you should probably search for openssl-devel (API users) rather than openssl (at most command line users), in order to avoid this particular false positive.