Bug 1489825

Summary: go: Respect system-wide crypto-policies
Product: [Fedora] Fedora Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: golangAssignee: Alejandro Sáez Morollón <asm>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: admiller, amurdaca, cllang, jcajka, lemenkov, renich, s, tmraz, ttomecek
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1527035 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1179209, 1527035    

Description Nikos Mavrogiannopoulos 2017-09-08 12:26:12 UTC 
Fedora has switch to system-wide default crypto policies for TLS and other crypto packages:
https://fedoraproject.org/wiki/Packaging:CryptoPolicies
https://fedoraproject.org/wiki/User:Nmav/FedoraCryptoPolicies


As it is now Go applications don't respect the system policy, making them distinct from other system applications.

If go uses a configuration to adjust TLS library behavior, please suggest a patch to crypto policies upstream [0] to generate such a file. If not please advise on the appropriate path to follow for go applications to behave similarly to other system applications.

[This is a proposal for collaboration, please let me know whether that can be done in our current setup of Java and how, and if not, the steps that are required to achieve that goal]

[0]. https://gitlab.com/nmav/fedora-crypto-policies/
Comment 1 Jakub Čajka 2017-09-19 11:52:42 UTC 
Is there somewhere described the crypto policy in general terms? From first look this seems to be more fit for each individual package/project using Go stdlib, than stdlib itself(as it doesn't provide any facility to disable individual algorithms at runtime).
Comment 2 Nikos Mavrogiannopoulos 2017-09-19 12:55:49 UTC 
The idea is described in:
https://gitlab.com/nmav/fedora-crypto-policies/blob/master/update-crypto-policies.8.txt
https://fedoraproject.org/wiki/Changes/CryptoPolicy

We want to be able to provide a default system policy which _all_ packages in the system respect.
Comment 4 Fedora End Of Life 2018-02-20 15:26:29 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.