On 2018-Feb-20, we have reached the Fedora 28 Change Checkpoint: Completion deadline (testable).

At this point, all accepted changes should be substantially complete, and testable. Additionally, if a change is to be enabled by default, it must be enabled at Change Completion deadline as well.

Change tracking bug should be set to the MODIFIED state to indicate it achieved completeness.

Incomplete and non testable Changes will be reported to FESCo for 2018-Feb-23 meeting.

This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

* Mon Feb 12 2018 Nikos Mavrogiannopoulos <nmav> - 20180112-1.git386e3fe - Updated to apply the settings as in StrongCryptoSettings project. The restriction to TLS1.2, is not yet applied as we have no method to impose that in openssl. https://fedoraproject.org/wiki/Changes/StrongCryptoSettings

So I guess this change is partially implemented.

Not sure how to express that here.

It seems to me that the missing bit is a smaller part of the Change. If that is true, I'd just update the Change page to clearly say which part is deferred, and proceed with the rest (i.e. set it to MODIFIED, fill in the Documentation section, etc.).

Thanks. I've updated the change to document the contigency plan.

Since I updated my Rawhide last week, I have issues connecting to some sites using FF due to errors like:

~~~
An error occurred during a connection to ****.com. Při komunikaci protokolem SSL byl v inicializační zprávě typu Server Key Exchange obdržen slabý klíč typu Diffie-Hellman. Error code: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
~~~

I have similar issues connecting my TB to the mail server:

~~~
An error occurred during a connection to mail.xxx.com:993.

SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.

Error code: <a id="errorCode" title="SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY">SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY</a> 
~~~

I have not updated neither FF nor TB.

The strong settings seem to affect VPNs as well (#1549242)

On 2018-Mar-08 we reached the "Change Checkpoint: 100% Code Complete Deadline" milestone for Fedora 28 release. At this point all the Changes not at least in "ON_QA" state should be brought to FESCo for review. Please update the state of this bug to "ON_QA" if it is already 100% completed. Please let me know in case you have any trouble with the implementation and the Change needs any help or review.

Thanks, Jan

crypto-policies-20180306-1.gitaea6928.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b849029629

Current status: 
 Due to regressions seen in connecting to (1) internal/intranet web sites, (2) SSL VPN servers, I've backed off some of the original plan and modified the plan description [0] to the implemented plan.

Original plan:
* Keep only TLS 1.2 (and TLS 1.3 when available) as enabled protocols and move the TLS 1.x, x<=1 to legacy level.
* Require finite field parameters (RSA, Diffie-Hellman) of 2048 and more in the default settings
* Disable DSA by default


Fallback (current plan):
* Disable DSA by default
* Require RSA certificates of 2048 bits and more in the default settings (Diffie-Hellman remains >= 1024)

The items in the original plan that were not implemented are to be postponed to a later time. I also renamed the change to "Strong crypto settings: phase 1" to reflect that.

The fallback plan requires the updates in [1] to be merged.

[0]. https://fedoraproject.org/wiki/Changes/StrongCryptoSettings
[1]. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b849029629

crypto-policies-20180306-1.gitaea6928.fc28, openssh-7.6p1-7.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b849029629

crypto-policies-20180306-1.gitaea6928.fc28, openssh-7.6p1-7.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.