Projects
Factory:RISC-V:Base
crypto-policies
_service:tar_scm:backport-Describe-some-of-the-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch of Package crypto-policies
From c40cedee6e5225dc72e590f9ff0282d876a2e5d5 Mon Sep 17 00:00:00 2001 From: Tomas Mraz <tmraz@fedoraproject.org> Date: Thu, 2 Jul 2020 15:40:01 +0200 Subject: [PATCH] Describe some of the quirks of the back-end config generators. --- crypto-policies.7.txt | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/crypto-policies.7.txt b/crypto-policies.7.txt index 0971935..2b583b8 100644 --- a/crypto-policies.7.txt +++ b/crypto-policies.7.txt @@ -277,7 +277,7 @@ COMMANDS NOTES ----- -*Exceptions:* +*Exceptions* * *Go-language* applications do not yet follow the system-wide policy. * *GnuPG-2* application does not follow the system-wide policy. @@ -323,6 +323,29 @@ of individual applications: * all *ECC* curves incompatible with *TLS 1.3*, including secp256k1 * *IKEv1* +*Notable irregularities in the individual configuration generators* + +* *OpenSSL*: The minimum length of the keys and some other parameters +are enforced by the @SECLEVEL value which does not provide a fine +granularity. The list of *TLS* ciphers is not generated as an exact list +but by subtracting from all the supported ciphers for the enabled key +exchange methods. For that reason there is no way to disable a random cipher. +In particular all *AES-128* ciphers are disabled if the *AES-128-GCM* is not +present in the list; all *AES-256* ciphers are disabled if the *AES-256-GCM* +is not present. The *CBC* ciphers are disabled if there isn't *HMAC-SHA1* +in the hmac list and *AES-256-CBC* in the cipher list. To disable the *CCM* +ciphers both *AES-128-CCM* and *AES-256-CCM* must not be present in the cipher +list. + +* *GnuTLS*: The minimum length of the keys and some other parameters +are enforced by min-verification-profile setting in the *GnuTLS* configuration +file which does not provide fine granularity. + +* *OpenSSH*: *DH* group 1 is always disabled on server even if the policy +allows 1024 bit *DH* groups in general. The OpenSSH configuration option +HostKeyAlgorithms is set only for the *SSH* server as otherwise the +handling of the existing known hosts entries would be broken on client. + HISTORY ------- -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2