Bug 1428746
| Summary: | NSS should provide a tool to check the validity of a crypto policy configuration file | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nikos Mavrogiannopoulos <nmavrogi> | |
| Component: | nss | Assignee: | Kai Engert (:kaie) (inactive account) <kengert> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 27 | CC: | dueno, kdudka, kengert | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1527033 (view as bug list) | Environment: | ||
| Last Closed: | 2018-10-05 11:14:39 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1179209, 1527033, 1605247 | |||
| Attachments: | ||||
|
Description
Nikos Mavrogiannopoulos
2017-03-03 09:53:30 UTC
Created attachment 1259812 [details]
enhances listsuites to check crypto-policies config file for correctness
CAVEAT: this latest version is untested.
Created attachment 1259813 [details]
Changes to nss.spec - in patch format
Comment on attachment 1259812 [details]
enhances listsuites to check crypto-policies config file for correctness
Remove this
+ if (info.cipherSuite == TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
+ fprintf (stdout, "foo\n");
How did it get there, I don't know. Also the formatting of extra info leaves a bit to be desired.
Created attachment 1264214 [details]
enhances listsuites to check crypto-policies confile file for correctnes
Checking for policy file for correctness is a bit of an overstatement. It does print extra policy information when available and it's probably a good first step towards the goal.
Created attachment 1264216 [details]
Changes to nss.spec - in patch format
Created attachment 1264217 [details]
listsuites output before the patch is applied
Created attachment 1264218 [details]
listsuites output after the patch was applied
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. I took the liberty of filing an upstream bug for this with a subset of the patch provided by Elio. We discussed this request by email, and the request was clarified, which I'll attempt to summarize below. Nikos, please speak up if the summary is incorrect. We should implement a tool that checks that: - the policy file has a correct syntax - that at least one version or mechanism of each configured category is enabled Checking for inconsistencies between configuration categories is outside the scope of this tool. I've provided an initial patch upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1474887 This isn't a clear black/white request. IMHO the implementation I'm suggesting accomplishes the request, however, I suggest that you review it. Not a code review, but rather, a review of the approach that is used, of the coverage that is provided, and of the way failures are reported and treated. The code review should be done later, after we've agreed that the implementation sufficiently implements the requested check. The new nss-policy-check tool has been checked in upstream and will be available with NSS 3.39, which is expected around mid July. This is already in fedora. Thank you! |