Bug 1842835

Summary: rpmlint reports crypto-policy-non-compliance-openssl
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Moriš <omoris>
Component: postfixAssignee: Jaroslav Škarvada <jskarvad>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2   
Target Milestone: rc   
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-02 07:27:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1842847    

Description Ondrej Moriš 2020-06-02 07:44:53 UTC 
Description of problem:

Crypto-policy non-compliance is reported by rpmlint.

Since RHEL-8.0 we have system-wide crypto policies - usage of cryptographic protocols such as TLS that are enforced system-wide. In general we want all applications in RHEL to be compliant with the crypto policy set on the system (see policy [1] inherited from Fedora).

Rpmlint detected that postfix uses SSL_CTX_set_cipher_list from OpenSSL library without  PROFILE=SYSTEM. This indicates that a custom setting is used rather than system-wide crypto-policies setting. It is not a problem as long as it is intentional (e.g. specific algorithm is requested by user or configuration). However, unintentional usage might be a potential bug.

Could you please inspect relevant parts of the code, check that this is not rpmlint false positive and verify that custom setting is used intentionally?

 * If yes, feel free to close this BZ as NOT-A-BUG.
 * If not, could you please consider using system-wide crypto policy setting (PROFILE=SYSTEM) instead of custom setting?

[1] https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies

Version-Release number of selected component (if applicable):

postfix-3.3.1-12.el8

How reproducible:

100%

Steps to Reproduce:

1. rpmlint postfix-3.3.1-12.el8.x86_64.rpm


Expected results:

No crypto-policy-non-compliance warning.

Actual results:

postfix.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/postfix/libpostfix-tls.so SSL_CTX_set_cipher_list
Comment 3 RHEL Program Management 2021-12-02 07:27:04 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.