Bug 1109112 - Use the system crypto policy unless otherwise specified
Summary: Use the system crypto policy unless otherwise specified
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: lighttpd
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1076390
TreeView+ depends on / blocked
 
Reported: 2014-06-13 09:31 UTC by Nikos Mavrogiannopoulos
Modified: 2014-07-07 15:54 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-07-07 15:54:52 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Nikos Mavrogiannopoulos 2014-06-13 09:31:34 UTC 
Please convert to use the system's crypto policy for SSL and TLS:
https://fedoraproject.org/wiki/Changes/CryptoPolicy#Scope

If this program is compiled against gnutls, change the default priority string to be "@SYSTEM" or to use gnutls_set_default_priority().

If this program is compiled against openssl, and there is no default cipher list specified, you don't need to modify it. Otherwise replace the default cipher list with "PROFILE=SYSTEM".

If this program obtains its cipher list (or priority) using a configuration file, please update the shipped configuration files with the appropriate string that sets the system policy.

In all cases please verify (as described in the URL above) that the application uses the system's crypto profiles.

Please contact me for any questions.
Comment 1 Nikos Mavrogiannopoulos 2014-07-04 10:57:46 UTC 
A quick reminder; this is a blocker for #1076390. if you have no resources to pursue that please contact me.
Comment 2 Gwyn Ciesla 2014-07-07 12:24:19 UTC 
I see this uses OPENSSL but am unsure from the wiki page exactly how to implement this.  If you could guide me I'm more than willing to implement.
Comment 3 Nikos Mavrogiannopoulos 2014-07-07 12:57:48 UTC 
In the shipped lighttpd.conf, I'd have the "ssl.cipher-list" value be "PROFILE=SYSTEM".

That is I'd add in '$SERVER["socket"] == "10.0.0.1:443"'

# That will utilize the default cipher list for this system. You may consult 
# update-crypto-policies(8) for more information. Unless you know what you
# are doing it is recommended not to change that.
ssl.cipher-list             = "PROFILE=SYSTEM"
Comment 4 Gwyn Ciesla 2014-07-07 13:27:42 UTC 
In other words:

-- doc/config/lighttpd.conf~	2014-03-12 11:40:36.000000000 -0500
+++ doc/config/lighttpd.conf	2014-07-07 08:22:46.934838985 -0500
@@ -417,7 +417,7 @@
 ##     # Check your cipher list with: openssl ciphers -v '...' (use single quotes as your shell won't like ! in double quotes)
 ##     #
 ##     # If you know you have RSA keys (standard), you can use:
-##     ssl.cipher-list             = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"
+##     ssl.cipher-list             = "PROFILE=SYSTEM"
 ##     # The more generic version (without the restriction to RSA keys) is
 ##     # ssl.cipher-list           = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK"
 ##     #
-- config/lighttpd.conf~	2014-03-12 11:40:36.000000000 -0500
+++ config/lighttpd.conf	2014-07-07 08:22:55.629838791 -0500
@@ -417,7 +417,7 @@
 ##     # Check your cipher list with: openssl ciphers -v '...' (use single quotes as your shell won't like ! in double quotes)
 ##     #
 ##     # If you know you have RSA keys (standard), you can use:
-##     ssl.cipher-list             = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"
+##     ssl.cipher-list             = "PROFILE=SYSTEM"
 ##     # The more generic version (without the restriction to RSA keys) is
 ##     # ssl.cipher-list           = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK"
 ##     #


?
Comment 5 Nikos Mavrogiannopoulos 2014-07-07 15:02:15 UTC 
That looks reasonable. If you want to test it, you'll need to install openssl and crypto-policies from rawhide.
Note You need to log in before you can comment on or make changes to this bug.