Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1107633 - System-wide crypto policy
System-wide crypto policy
Status: CLOSED NEXTRELEASE
Product: Fedora Documentation
Classification: Fedora
Component: security-guide (Show other bugs)
devel
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Eric Christensen
Fedora Docs QA
http://fedoraproject.org//wiki/Change...
ChangeAcceptedF21
: Documentation, ReleaseNotes
Depends On: 1076390
Blocks:
  Show dependency treegraph
 
Reported: 2014-06-10 07:21 EDT by Eric Christensen
Modified: 2014-06-27 09:32 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1076390
Environment:
Last Closed: 2014-06-27 09:32:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch adding CryptoPolicy text (4.99 KB, patch)
2014-06-10 07:23 EDT, Eric Christensen
no flags Details | Diff

  None (edit)
Description Eric Christensen 2014-06-10 07:21:53 EDT
+++ This bug was initially created as a clone of Bug #1076390 +++

This is a tracking bug for Change: System-wide crypto policy
For more details, see: http://fedoraproject.org//wiki/Changes/CryptoPolicy

Unify the crypto policies used by different applications and libraries. That is allow
setting a consistent security level for crypto on all applications in a Fedora system. The implementation approach will be to initially modify SSL libraries to respect the policy and gradually adding more libraries and applications.

--- Additional comment from Eric Christensen on 2014-03-24 13:40:11 EDT ---

I wrote up something about this already (but can't find it) that can be used in the Release Notes and Security Guide.  As soon as I can lay my hands on it, again, I'll post it for review.

--- Additional comment from Eric Christensen on 2014-03-24 14:40:25 EDT ---

This is the text I'd like to use for the Release Notes and Security Guide if it looks good to the feature owner.

--- Additional comment from Nikos Mavrogiannopoulos on 2014-03-25 05:45:07 EDT ---

Let's not update the release notes and manual yet, as the details are not yet fixed. I expect these to be fixed by the end of next month.

--- Additional comment from Nikos Mavrogiannopoulos on 2014-06-03 07:26:05 EDT ---

I've updated the proposed text for the release notes.

<title>Crypto Policy</title>

<para>Beginning in Fedora 21, a system-wide crypto policy will be available for users to quickly setup the cryptographic options for their systems.  Users that must meet certain cryptographic standards can make the policy change in <filename>//etc/crypto-policies/config</filename>, and run update-crypto-policies. At this point applications that are utilize the default set of ciphers in the GnuTLS and OpenSSL libraries will follow the policy requirements.</para>

<para>The available options are: (1) LEGACY, which ensures compatibility with legacy systems - 64-bit security, (2) DEFAULT, a reasonable default for today's standards - 80-bit security, and (3) FUTURE, a conservative level that is believed to withstand any near-term future attacks -128-bit security.
These levels affect SSL/TLS settings, including elliptic curve, signature hash functions, and ciphersuites and key sizes.</para>

<para>Additional information on this new feature can be found on the <ulink url="https://fedoraproject.org/wiki/Changes/CryptoPolicy">CryptoPolicy Changes wiki page</ulink>.</para>

--- Additional comment from Eric Christensen on 2014-06-03 11:58:18 EDT ---

(In reply to Nikos Mavrogiannopoulos from comment #4)

Awesome, thanks!  I've added it to the Security Beat (https://fedoraproject.org/wiki/Documentation_Security_Beat) and it should be in the Release Notes for F21.
Comment 1 Eric Christensen 2014-06-10 07:23:38 EDT
Created attachment 907165 [details]
Patch adding CryptoPolicy text

This is ready for QA.

Note You need to log in before you can comment on or make changes to this bug.