1335950 – libreswan: remove or disable any deprecated ciphers

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1335950 - libreswan: remove or disable any deprecated ciphers

Summary: libreswan: remove or disable any deprecated ciphers

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libreswan
Sub Component:
Version:	6.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Wouters
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1335911
TreeView+	depends on / blocked

Reported:	2016-05-13 15:21 UTC by Nikos Mavrogiannopoulos
Modified:	2016-08-17 12:13 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1335949
Environment:
Last Closed:	2016-07-06 19:20:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Nikos Mavrogiannopoulos 2016-05-13 15:21:30 UTC

RHEL includes several cryptographic components who's security doesn't remain constant over time. Algorithms such as (cryptographic) hashing and encryption typically have a lifetime after which they are considered either too risky to use or plain insecure. That would mean we need to phase out such algorithms from the default settings, or completely disable if they could cause irreparable issue. 

This bug is about removing by default algorithms that are deemed unsafe by the IETF IPSECME Working group (MUST NOT). Algorithms that are in SHOULD NOT state will be kept but removed from the default set.

The relevant (at the moment) drafts are:
 * draft-ietf-ipsecme-rfc4307bis
 * draft-mglt-ipsecme-rfc7321bis

Comment 1 Paul Wouters 2016-07-04 08:08:59 UTC

currently both drafts only contain 1DES as MUST NOT, which has never been supported since 1995. It further has DH1024 and 3DES as new SHOULD NOT's. Since both are still safe and in common use, I would not change it this late into RHEL6. These changes are also not currently scheduled for RHEL7.3 but will only be done in RHEL-7.4

I would suggest closing this bug

Comment 2 Nikos Mavrogiannopoulos 2016-07-06 16:42:57 UTC

Feel free to close the bug if you think that no action is necessary.

Comment 3 Paul Wouters 2016-07-06 19:20:05 UTC

thanks

Note You need to log in before you can comment on or make changes to this bug.