Please convert to use the system's crypto policy for SSL and TLS: https://fedoraproject.org/wiki/Packaging:CryptoPolicies If this program is compiled against gnutls, change the default priority string to be "@SYSTEM" or to use gnutls_set_default_priority(). If this program is compiled against openssl, and there is no default cipher list specified, you don't need to modify it. Otherwise replace the default cipher list with "PROFILE=SYSTEM". In both cases please verify that the application uses the system's crypto policies. If the package is already using the system-wide crypto policies, or it does not use SSL or TLS, no action is required, the bug can simply be closed.
The wiki states that NSS is still waiting on this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1009429
I reported this bug, because 'repoquery --whatrequires openssl' reports systemtap-server as depending on openssl. If that's not the case and it only needs NSS, we can ignore that issue until #1157720 is resolved.
Ah, seems we use the openssl command to generate a certificate: https://sourceware.org/git/gitweb.cgi?p=systemtap.git;a=blob;f=stap-serverd.cxx;h=422a3e17055e3a31ea1668653f85dc37ec43c77c;hb=HEAD#l1589 I think ciphers are irrelevant in this case, but please correct me if anything needs to change in that command line. I'm not sure why we don't use the NSS API or tools to generate the cert, but this isn't my area. David, did you consider that? (assuming it's possible...)
It is possible to create certificates using the NSS API. The server does this for the SSL certificate within gen_cert_db() in nsscommon.cxx. This function could be factored a bit (it assumes that only the SSL certificate is needed) so that the common bits could also be used to generate the mok certificate.
Nikos, you should probably search for openssl-devel (API users) rather than openssl (at most command line users), in order to avoid this particular false positive.