< Changes
| (8 intermediate revisions by 3 users not shown) | |||
| Line 4: | Line 4: | ||
== Summary == | == Summary == | ||
As it is now, the [ | As it is now, the [[Changes/CryptoPolicy|System-wide crypto policy]] in F25 is enforced by the OpenSSL, GnuTLS and NSS TLS libraries. To harmonize crypto across all applications in Fedora, including the Java ones, OpenJDK is enhanced to respect the settings of the system-wide crypto policy as well. | ||
== Owner == | == Owner == | ||
| Line 20: | Line 20: | ||
== Current status == | == Current status == | ||
* Targeted release: [[Releases/ | * Targeted release: [[Releases/26 | Fedora 26 ]] | ||
* Last updated: <!-- this is an automatic macro — you don't need to change this line --> {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}} | * Last updated: <!-- this is an automatic macro — you don't need to change this line --> {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}} | ||
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | <!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | ||
| Line 30: | Line 30: | ||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | ||
--> | --> | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1340845 #1340845] | ||
== Detailed Description == | == Detailed Description == | ||
As it is now, the [ | As it is now, the [[Changes/CryptoPolicy|System-wide crypto policy]] in F25 is enforced by the OpenSSL, GnuTLS and NSS TLS libraries. To harmonize crypto across all applications in Fedora, including the Java ones, OpenJDK is enhanced to respect the settings of the system-wide crypto policy as well. | ||
After that change the administrator should be assured that any Java application will follow a policy that adheres to the configured profile. | After that change the administrator should be assured that any Java application will follow a policy that adheres to the configured profile. | ||
| Line 57: | Line 57: | ||
* Policies and guidelines: | * Policies and guidelines: | ||
** [ | ** [[Packaging:CryptoPolicies|The packaging guidelines for crypto policies]] need to be modified to include OpenJDK/java in the list of libraries supporting the policies. | ||
<!-- Do the packaging guidelines or other documents need to be updated for this feature? If so, does it need to happen before or after the implementation is done? If a FPC ticket exists, add a link here. --> | <!-- Do the packaging guidelines or other documents need to be updated for this feature? If so, does it need to happen before or after the implementation is done? If a FPC ticket exists, add a link here. --> | ||
| Line 90: | Line 90: | ||
If the changes to NSS are not complete on time then OpenJDK will remain the same without respecting the crypto policies in Fedora 25. | If the changes to NSS are not complete on time then OpenJDK will remain the same without respecting the crypto policies in Fedora 25. | ||
* Contingency deadline: | * Contingency deadline: F26 alpha | ||
* Blocks release? Yes | * Blocks release? Yes | ||
| Line 96: | Line 96: | ||
== Documentation == | == Documentation == | ||
* [ | * [[Changes/CryptoPolicy|Fedora crypto policies description]] | ||
* [ | * [[Packaging:CryptoPolicies|Fedora crypto policies packaging guidelines]] | ||
== Release Notes == | == Release Notes == | ||
| Line 106: | Line 106: | ||
"With this change a Fedora system will have a consistent way of setting a default security profile for all Java-depending applications. Overall this brings the Java applications in par with the OpenSSL and GnuTLS with respect to system-wide policy adherence." | "With this change a Fedora system will have a consistent way of setting a default security profile for all Java-depending applications. Overall this brings the Java applications in par with the OpenSSL and GnuTLS with respect to system-wide policy adherence." | ||
[[Category: | [[Category:ChangeAcceptedF26]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
Latest revision as of 08:31, 12 December 2016
Java/OpenJDK enforces the system-wide crypto policy
Summary
As it is now, the System-wide crypto policy in F25 is enforced by the OpenSSL, GnuTLS and NSS TLS libraries. To harmonize crypto across all applications in Fedora, including the Java ones, OpenJDK is enhanced to respect the settings of the system-wide crypto policy as well.
Owner
- Name: Nikos Mavrogiannopoulos
- Email: nmav@redhat.com
- Release notes owner:
Current status
Detailed Description
As it is now, the System-wide crypto policy in F25 is enforced by the OpenSSL, GnuTLS and NSS TLS libraries. To harmonize crypto across all applications in Fedora, including the Java ones, OpenJDK is enhanced to respect the settings of the system-wide crypto policy as well.
After that change the administrator should be assured that any Java application will follow a policy that adheres to the configured profile.
Benefit to Fedora
With this change a Fedora system will have a consistent way of setting a default security profile for all java applications. Overall this brings the Java applications in par with the OpenSSL and GnuTLS with respect to system-wide policy adherence.
Scope
- Proposal owners:
The change requires modifying OpenJDK to read additional security properties from the generated by the crypto policies file (/etc/crypto-policies/back-ends/java.config).
- Other developers:
There are no required actions by other developers. The change requires only targeted changes to openjdk and crypto-policies.
- Release engineering:
No actions required.
- Policies and guidelines:
- The packaging guidelines for crypto policies need to be modified to include OpenJDK/java in the list of libraries supporting the policies.
- Trademark approval:
N/A (not needed for this Change)
Upgrade/compatibility impact
Connection to legacy systems with Java-applications may no longer be possible. This can be worked around by the administrator by switching from the DEFAULT to LEGACY crypto policy.
How To Test
Testing good operation
Test the good operation of Java applications to connect to various sites on the Internet.
Testing application of settings
- Setup an HTTPS server with a legacy protocol that is disabled in F25 system wide policy (e.g., RC4, SSL 3.0)
- Use an java application to connect to that server
- The connection should fail on F25 (may have succeeded on previous versions - something that depends on the application specific policy).
User Experience
Given that the system wide policy does disable obsolete ciphers and protocols, there should be no user noticeable result.
Dependencies
Several. Use "repoquery --whatrequires java" for the dependency listing.
Contingency Plan
- Contingency mechanism:
If the changes to NSS are not complete on time then OpenJDK will remain the same without respecting the crypto policies in Fedora 25.
- Contingency deadline: F26 alpha
- Blocks release? Yes
- Blocks product? N/A
Documentation
Release Notes
A proposal of notes is the following.
The release notes originally used in Crypto policies changes should be used, in addition to: "With this change a Fedora system will have a consistent way of setting a default security profile for all Java-depending applications. Overall this brings the Java applications in par with the OpenSSL and GnuTLS with respect to system-wide policy adherence."