This is a tracking bug for Change: Strong crypto settings: phase 2
For more details, see: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
We update the current system-wide crypto policy to further disable legacy cryptographic protocols (TLS 1.0 and TLS 1.1), weak Diffie-Hellman key exchange sizes (1024 bit), and use of the SHA-1 hash in signatures.
Branching F33 Change Tracker bugs.
Today is the code complete (testable) deadline. All bugs should be at least in MODIFIED state by now to indicate they are testable.
Closing tracking bugs for F33. If your change didn't make it into F33 for some reason, please reopen this and NEEDINFO me.
Breakage found after release:
- OpenSSH - connecting to RHEL 6 servers - bug 1884920
- Knot Resolver - DNSSEC validation DNS domains with SHA1 signatures - bug 1892704 (affects fedoraproject.org as well, LOL)
The SSH to RHEL-6 is expected and not a bug. However the other is a little bit unexpected as the SHA1 disablement was supposed to be applied only within context of the TLS, SSH, and IKE protocols. It was not supposed to be applied to DNSSec.