Description of problem:
Disables RSA-PSK key-exchange in OpenSSL, while DHE-PSK is enabled.
Since both suites are to be considered equal in strength, there is
no reason to have one of them disabled.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. $ openssl ciphers | grep 'RSA-PSK' ---> returns nothing
2. $ openssl ciphers | grep 'DHE-PSK' ---> returns enabled ciphers
RSA-PSK based ciphers are disabled.
RSA-PSK based ciphers should be enabled, as there is no known
reason to block them.
RSA-PSK based ciphers have been introduced with OpenSSL 1.1 for TLSv1.3.
TLSv3 used the following ciphers, which are RSK-PSK based (and thus are
already white-listed explicitly):
The following RSA-PSK based cipher are disabled for no reason:
Enabling them by policy is as easy as adding `kRSAPSK` to the
This applies to any actively supported Fedora release, as well as
to RHEL8. Please consider backporting.
The reason to not enable RSA-PSK ciphersuites by default is that:
1. they are not used by default
2. they do not actually have an equivalent in TLS-1.3
3. special applications that need them, can enable them by using non-default cipher string
That is I do not think there is any reason to not _support_ RSA-PSK for example via a subpolicy.
FEDORA-2020-bb31ea7e2b has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb31ea7e2b
FEDORA-2020-bb31ea7e2b has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-bb31ea7e2b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb31ea7e2b
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-bb31ea7e2b has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.