Bug 1842801

Summary: rpmlint reports crypto-policy-non-compliance-openssl
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Moriš <omoris>
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED NOTABUG QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2   
Target Milestone: rc   
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-09 10:26:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1842847    

Description Ondrej Moriš 2020-06-02 07:16:10 UTC
Description of problem:

Crypto-policy non-compliance is reported by rpmlint.

Since RHEL-8.0 we have system-wide crypto policies - usage of cryptographic protocols such as TLS that are enforced system-wide. In general we want all applications in RHEL to be compliant with the crypto policy set on the system (see policy [1] inherited from Fedora).

Rpmlint detected that dovecot uses SSL_CTX_set_cipher_list from OpenSSL library without  PROFILE=SYSTEM. This indicates that a custom setting is used rather than system-wide crypto-policies setting. It is not a problem as long as it is intentional (e.g. specific algorithm is requested by user or configuration). However, unintentional usage might be a potential bug.

Could you please inspect relevant parts of the code, check that this is not rpmlint false positive and verify that custom setting is used intentionally?

 * If yes, feel free to close this BZ as NOT-A-BUG.
 * If not, could you please consider using system-wide crypto policy setting (PROFILE=SYSTEM) instead of custom setting?

[1] https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies

Version-Release number of selected component (if applicable):

dovecot-2.3.8-2.el8

How reproducible:

100%

Steps to Reproduce:

1. rpmlint dovecot-2.3.8-2.el8.x86_64.rpm


Expected results:

No crypto-policy-non-compliance warning.

Actual results:

dovecot.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/dovecot/libssl_iostream_openssl.so SSL_CTX_set_cipher_list

Comment 1 Michal Hlavinka 2020-09-09 10:26:15 UTC
dovecot uses configuration option for crypto policy, where default value is PROFILE=SYSTEM