Bug 1821875 - Strong crypto settings: phase 2
Summary: Strong crypto settings: phase 2
Alias: None
Product: Fedora
Classification: Fedora
Component: Changes Tracking
Version: 33
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
Depends On:
Blocks: F33Changes
TreeView+ depends on / blocked
Reported: 2020-04-07 18:32 UTC by Ben Cotton
Modified: 2020-10-29 15:47 UTC (History)
2 users (show)

Fixed In Version: crypto-policies-20200702-2.gitc40cede.fc33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-10-27 14:47:52 UTC
Type: ---

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1884920 0 unspecified CLOSED Cannot ssh into CentOS 6 using ssh key authentication 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1892704 0 unspecified CLOSED domains with SHA1 DNSSEC algorithms SERVFAIL in Fedora 33 2021-02-22 00:41:40 UTC

Internal Links: 1892704

Description Ben Cotton 2020-04-07 18:32:13 UTC
This is a tracking bug for Change: Strong crypto settings: phase 2
For more details, see: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2

We update the current system-wide crypto policy to further disable legacy cryptographic protocols (TLS 1.0 and TLS 1.1), weak Diffie-Hellman key exchange sizes (1024 bit), and use of the SHA-1 hash in signatures.

Comment 1 Ben Cotton 2020-08-11 13:10:44 UTC
Branching F33 Change Tracker bugs.

Today is the code complete (testable) deadline. All bugs should be at least in MODIFIED state by now to indicate they are testable.

Comment 2 Ben Cotton 2020-10-27 14:47:52 UTC
Closing tracking bugs for F33. If your change didn't make it into F33 for some reason, please reopen this and NEEDINFO me.

Comment 3 Petr Špaček 2020-10-29 14:44:35 UTC
Breakage found after release:
- OpenSSH - connecting to RHEL 6 servers - bug 1884920
- Knot Resolver - DNSSEC validation DNS domains with SHA1 signatures - bug 1892704 (affects fedoraproject.org as well, LOL)

Comment 4 Tomas Mraz 2020-10-29 15:47:29 UTC
The SSH to RHEL-6 is expected and not a bug. However the other is a little bit unexpected as the SHA1 disablement was supposed to be applied only within context of the TLS, SSH, and IKE protocols. It was not supposed to be applied to DNSSec.

Note You need to log in before you can comment on or make changes to this bug.