Description of problem:
In the description of the FUTURE profile in the crypto policy system wide change (https://fedoraproject.org/wiki/Changes/CryptoPolicy), as well as in the FUTURE.pl source file (https://gitlab.com/nmav/fedora-crypto-policies/blob/master/back-ends/profiles/FUTURE.pl#L15), it says that only protocols TLS1.2+ are allowed. However it seems that is not true for OpenSSL. TLS1.1 works just fine with FUTURE applied.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. On server run:
# openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
# echo FUTURE > /etc/crypto-policies/config
# openssl s_server -key key.pem -cert cert.pem -accept 8000 -cipher 'PROFILE=SYSTEM'
2. On client run:
# openssl s_client -connect server:8000 -tls1_1
The client connects.
The client should not connect.
This is unfortunately a known issue that we are trying to address. Currently the openssl library doesn't provide any knobs for us to use to disable the protocol for multiple applications.
I thought so. Could you document it as a known issue until it's fixed? I didn't see any note about it anywhere.
re-titled for clarity. In short what we need from openssl to provide the strong system-wide defaults are:
* Be able to configure protocol version system-wide
* Be able to configure limits on RSA/FFDHE algorithms
* Be able to configure allowed curves for key exchange
It seems openssl tool even does not honor DEFAULT cipher list by default (openssl-1.1.0g-2.fc28.x86_64). As expected, this fails to connect because DEFAULT does not contain DES-CBC3-SHA required by the server:
$ openssl s_client -connect www.halstead.com:443 -cipher DEFAULT
But this surprisingly connects:
$ openssl s_client -connect www.halstead.com:443
In my opinion these two commands should behave identically.
No, if you explicitly specify DEFAULT, it uses the built-in library default and does not apply crypto policies.
(In reply to Tomas Mraz from comment #5)
> No, if you explicitly specify DEFAULT, it uses the built-in library default
> and does not apply crypto policies.
Right. 3DES-CBC will be removed from the crypto policies on F28
Ok. OpenSSL's DEFAULT and crypto-policy's DEFAULT are two different defaults. I understand.
Is DES-CBC3 and 3DES-CBC the same ciphersuite? I don't think. DES has already been excluded from crypto-policy's DEFAULT, yet:
$ openssl ciphers | tr ':' "\n" |grep '^DES-CBC3-SHA$'
and the openssl s_client without explic -cipher arguemnt succeeds. Why?
(In reply to Petr Pisar from comment #7)
> Ok. OpenSSL's DEFAULT and crypto-policy's DEFAULT are two different
> defaults. I understand.
> Is DES-CBC3 and 3DES-CBC the same ciphersuite?
Yes. DES-CBC3 it's openssl's way of saying 3DES-CBC.
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.