Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1335950 - libreswan: remove or disable any deprecated ciphers
Summary: libreswan: remove or disable any deprecated ciphers
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libreswan
Version: 6.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1335911
TreeView+ depends on / blocked
 
Reported: 2016-05-13 15:21 UTC by Nikos Mavrogiannopoulos
Modified: 2016-08-17 12:13 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1335949
Environment:
Last Closed: 2016-07-06 19:20:05 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Nikos Mavrogiannopoulos 2016-05-13 15:21:30 UTC 
RHEL includes several cryptographic components who's security doesn't remain constant over time. Algorithms such as (cryptographic) hashing and encryption typically have a lifetime after which they are considered either too risky to use or plain insecure. That would mean we need to phase out such algorithms from the default settings, or completely disable if they could cause irreparable issue. 

This bug is about removing by default algorithms that are deemed unsafe by the IETF IPSECME Working group (MUST NOT). Algorithms that are in SHOULD NOT state will be kept but removed from the default set.

The relevant (at the moment) drafts are:
 * draft-ietf-ipsecme-rfc4307bis
 * draft-mglt-ipsecme-rfc7321bis
Comment 1 Paul Wouters 2016-07-04 08:08:59 UTC 
currently both drafts only contain 1DES as MUST NOT, which has never been supported since 1995. It further has DH1024 and 3DES as new SHOULD NOT's. Since both are still safe and in common use, I would not change it this late into RHEL6. These changes are also not currently scheduled for RHEL7.3 but will only be done in RHEL-7.4

I would suggest closing this bug
Comment 2 Nikos Mavrogiannopoulos 2016-07-06 16:42:57 UTC 
Feel free to close the bug if you think that no action is necessary.
Comment 3 Paul Wouters 2016-07-06 19:20:05 UTC 
thanks
Note You need to log in before you can comment on or make changes to this bug.