Please convert to use the system's crypto policy for SSL and TLS: https://fedoraproject.org/wiki/Packaging:CryptoPolicies If this program is compiled against gnutls, change the default priority string to be "@SYSTEM" or to use gnutls_set_default_priority(). If this program is compiled against openssl, and there is no default cipher list specified, you don't need to modify it. Otherwise replace the default cipher list with "PROFILE=SYSTEM". In both cases please verify that the application uses the system's crypto policies. If the package is already using the system-wide crypto policies, or it does not use SSL or TLS, no action is required, the bug can simply be closed.
I will clone this Bug upstream so that it can be investigated.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4853
Note that this has nothing to do with upstream. This is about policies enforced in fedora.
Yes, but upstream project contains downstream platform specific modules (https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaplatform) where this should be properly configured, right?
I'm not sure what you mean. Upstream should provide the configuration knobs, if they don't exist. Other than that, upstream cannot configure for fedora.
What about NSS? FreeIPA uses NSS for TLS/SSL. The crypto policy does neither explain how to configure NSS nor does it contain documentation for Python apps.
NSS cannot be configured to use the system wide policies. In that case that bug should depend on: https://bugzilla.redhat.com/show_bug.cgi?id=1157720
This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Apologies, I didn't check the component and didn't realize this was for IPA and not for NSS.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'.
Given that FreeIPA uses NSS it automatically follows crypto policies.
(In reply to Nikos Mavrogiannopoulos from comment #12) > Given that FreeIPA uses NSS it automatically follows crypto policies. For clients this might be true but I seriously doubt that any NSS server that IPA uses honors systemwide policy.
(In reply to Rob Crittenden from comment #13) > (In reply to Nikos Mavrogiannopoulos from comment #12) > > Given that FreeIPA uses NSS it automatically follows crypto policies. > > For clients this might be true but I seriously doubt that any NSS server > that IPA uses honors systemwide policy. In NSS it is not easy to override the system-wide policy (that's intentional given to the way NSS works). One needs to use an environment variable for that.
This is news to me, the maintainer of an NSS server package. Where can I find documentation on how one configures this? The best I found was a bug containing a lot of NSS patches and a page with the state of intent, but no usage docs specifically for server users.
I can refer you to the following information: https://github.com/nmav/fedora-crypto-policies/blob/master/update-crypto-policies.8.txt#L119 https://fedoraproject.org/wiki/Changes/NSSCryptoPolicies If that is not sufficient, I'd recommend to reach our NSS maintainers directly.
Ok, it sure would have been nice if this had been better communicated. The result doesn't match the description. The change page reads "There are no required actions by other developers. The change requires only targeted changes to NSS" and this is not what was implemented. I fear it is going to cause mass confusion among all NSS server users and fully expect a slew of "my config changes are being ignored" bugs.