Description of problem: Disables RSA-PSK key-exchange in OpenSSL, while DHE-PSK is enabled. Since both suites are to be considered equal in strength, there is no reason to have one of them disabled. Version-Release number of selected component (if applicable): any How reproducible: 100% Steps to Reproduce: 1. $ openssl ciphers | grep 'RSA-PSK' ---> returns nothing 2. $ openssl ciphers | grep 'DHE-PSK' ---> returns enabled ciphers Actual results: RSA-PSK based ciphers are disabled. Expected results: RSA-PSK based ciphers should be enabled, as there is no known reason to block them. Additional info: RSA-PSK based ciphers have been introduced with OpenSSL 1.1 for TLSv1.3. TLSv3 used the following ciphers, which are RSK-PSK based (and thus are already white-listed explicitly): * TLS_AES_256_GCM_SHA384 * TLS_CHACHA20_POLY1305_SHA256 * TLS_AES_128_GCM_SHA256 * TLS_AES_128_CCM_SHA256 The following RSA-PSK based cipher are disabled for no reason: * RSA-PSK-AES256-GCM-SHA384 * RSA-PSK-CHACHA20-POLY1305 * RSA-PSK-AES128-GCM-SHA256 * RSA-PSK-AES256-CBC-SHA * RSA-PSK-AES128-CBC-SHA256 * RSA-PSK-AES128-CBC-SHA Enabling them by policy is as easy as adding `kRSAPSK` to the `CipherString` in`opensslcnf.config`. This applies to any actively supported Fedora release, as well as to RHEL8. Please consider backporting.
See: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/79
The reason to not enable RSA-PSK ciphersuites by default is that: 1. they are not used by default 2. they do not actually have an equivalent in TLS-1.3 3. special applications that need them, can enable them by using non-default cipher string
That is I do not think there is any reason to not _support_ RSA-PSK for example via a subpolicy.
FEDORA-2020-bb31ea7e2b has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb31ea7e2b
FEDORA-2020-bb31ea7e2b has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-bb31ea7e2b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb31ea7e2b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-bb31ea7e2b has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.