Please convert to use the system's crypto policy for SSL and TLS: https://fedoraproject.org/wiki/Changes/CryptoPolicy#Scope If this program is compiled against gnutls, change the default priority string to be "@SYSTEM" or to use gnutls_set_default_priority(). If this program is compiled against openssl, and there is no default cipher list specified, you don't need to modify it. Otherwise replace the default cipher list with "PROFILE=SYSTEM". If this program obtains its cipher list (or priority) using a configuration file, please update the shipped configuration files with the appropriate string that sets the system policy. In all cases verify (as described in the URL above) that the application uses the system's crypto profiles. Please contact me for any questions.
Commit: http://pkgs.fedoraproject.org/gitweb/?p=httpd.git;a=commitdiff;h=c0bdfa464b7c8b7d202b7a7ab31bc0e4b06a33fc Package: httpd-2.4.9-5.fc21 Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=539199
Further investigation: this has not quite achieved what was expected. Without SSLCipherSuite configured, mod_ssl still configures a cipher suite, but will use: "!EXP:" + SSL_DEFAULT_CIPHER_LIST (OpenSSL macro) by default. This is not exactly what is specified here. What is preferred behaviour, mod_ssl really does not call SSL_CTX_set_cipher_list() by default?
My personal preference would be to use "PROFILE=SYSTEM" as the cipher list. That way it would be explicit to the administrator that the system-wide settings are being applied. The default behavior when SSL_CTX_set_cipher_list() isn't called is mostly for unattended programs that offer no configuration file.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Any update on this issue?
The choices for what is passed to SSL_CTX_set_cipher_list() in mod_ssl are: 1) If we configure "SSLCipherSuite PROFILE=SYSTEM" by default, we'll actually get "!aNULL:!eNULL:!EXP:PROFILE=SYSTEM" 2) We configure no SSLCipherSuite by default. We'll actually get: "!EXP:" + SSL_DEFAULT_CIPHER_LIST If (1) is OK I'll go with that. Further alternatives: a) We patch mod_ssl to recognize "PROFILE=" as special and no prepend !aNULL etc in that case, and then do (1). Preference?
(In reply to Joe Orton from comment #6) > The choices for what is passed to SSL_CTX_set_cipher_list() in mod_ssl are: > > 1) If we configure "SSLCipherSuite PROFILE=SYSTEM" by default, we'll > actually get > > "!aNULL:!eNULL:!EXP:PROFILE=SYSTEM" > > 2) We configure no SSLCipherSuite by default. We'll actually get: > > "!EXP:" + SSL_DEFAULT_CIPHER_LIST > > If (1) is OK I'll go with that. > > Further alternatives: > > a) We patch mod_ssl to recognize "PROFILE=" as special and no prepend !aNULL > etc in that case, and then do (1). > > Preference? I believe (1) wouldn't work with the current parser code, so neither seem good options. I think (a), or at least an option that does not set anything, would be best. (added Tomas in case I missed something)
Yes, unfortunately the current parser won't work when you prepend anything to the PROFILE=SYSTEM. You can only append to it.
Commit: http://pkgs.fedoraproject.org/gitweb/?p=httpd.git;a=commitdiff;h=4475e3e26285ff84d9c5fd3b9ffb45376f0092d6 Package: httpd-2.4.10-6.fc22 Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=569704
Joe, there seems to be an issue in your patch. There you set in the configuration file "PROFILE=DEFAULT". The name is "PROFILE=SYSTEM".
Thanks Nikos - yes we worked that out too after some headscratching :) It is fixed in the current f21 package: http://pkgs.fedoraproject.org/cgit/httpd.git/commit/?id=793563ad40c65d89906e61a3f83ded4dcb7996f8
Thanks