Bug 1821875

Summary: Strong crypto settings: phase 2
Product: [Fedora] Fedora Reporter: Ben Cotton <bcotton>
Component: Changes TrackingAssignee: Tomas Mraz <tmraz>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 33CC: bcotton, feddy, pspacek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: crypto-policies-20200702-2.gitc40cede.fc33 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 14:47:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1860404    

Description Ben Cotton 2020-04-07 18:32:13 UTC
This is a tracking bug for Change: Strong crypto settings: phase 2
For more details, see: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2

We update the current system-wide crypto policy to further disable legacy cryptographic protocols (TLS 1.0 and TLS 1.1), weak Diffie-Hellman key exchange sizes (1024 bit), and use of the SHA-1 hash in signatures.

Comment 1 Ben Cotton 2020-08-11 13:10:44 UTC
Branching F33 Change Tracker bugs.

Today is the code complete (testable) deadline. All bugs should be at least in MODIFIED state by now to indicate they are testable.

Comment 2 Ben Cotton 2020-10-27 14:47:52 UTC
Closing tracking bugs for F33. If your change didn't make it into F33 for some reason, please reopen this and NEEDINFO me.

Comment 3 Petr Špaček 2020-10-29 14:44:35 UTC
Breakage found after release:
- OpenSSH - connecting to RHEL 6 servers - bug 1884920
- Knot Resolver - DNSSEC validation DNS domains with SHA1 signatures - bug 1892704 (affects fedoraproject.org as well, LOL)

Comment 4 Tomas Mraz 2020-10-29 15:47:29 UTC
The SSH to RHEL-6 is expected and not a bug. However the other is a little bit unexpected as the SHA1 disablement was supposed to be applied only within context of the TLS, SSH, and IKE protocols. It was not supposed to be applied to DNSSec.

Comment 5 Federic 2021-04-05 17:35:41 UTC
Someone seems to have forgotten about ADSL routers with wifi. Their firmware gets updated less frequently and blanket assumption behind this change that all servers will "probably " get updates  to TLS 1.2 is a bit presumptuous. 

Currently Fed33 is unable to connect to a lot of wifi hot spots and the wifi on my router, for example.

more over it is very opaque and appears exactly like an incorrect password to the user and even in dmesg output :


This is incorrect, since it is not the auth credentials which were not valid ! 

Do we need a new bug for this since this one is closed?

Comment 6 Federic 2021-04-05 17:41:11 UTC

"Given the existing deployment of TLS 1.2 on the internet, there should not be significant user experience degradation, although that's a speculation. "

perhaps such sweeping changes should be based on more than speculation.