From Fedora Project Wiki
Line 4: Line 4:
 
* OpenSSL applications: If the application provides a configuration file that allows to modify the cipher list string, ensure that the default is "PROFILE=SYSTEM". In that case no further action is required. Otherwise, if the application doesn't have a configuration file, ensure that there is no default cipher list specified, or that the default list is set as "PROFILE=SYSTEM". That is, check the source code for SSL_CTX_set_cipher_list(). If it is not present then nothing needs to be done (the default is used). Otherwise, if that call is present and and provided a fixed string which does not contain PSK or SRP, replace the string with "PROFILE=SYSTEM", or remove the call.
 
* OpenSSL applications: If the application provides a configuration file that allows to modify the cipher list string, ensure that the default is "PROFILE=SYSTEM". In that case no further action is required. Otherwise, if the application doesn't have a configuration file, ensure that there is no default cipher list specified, or that the default list is set as "PROFILE=SYSTEM". That is, check the source code for SSL_CTX_set_cipher_list(). If it is not present then nothing needs to be done (the default is used). Otherwise, if that call is present and and provided a fixed string which does not contain PSK or SRP, replace the string with "PROFILE=SYSTEM", or remove the call.
  
* GnuTLS applications: If the application provides a configuration file that allows to modify the cipher priority string, ensure that the default is "@SYSTEM". Otherwise, if the application doesn't have a configuration file, ensure that it uses gnutls_set_default_priority(), or that the default priority string is "@SYSTEM". That is, check the sourcec code for gnutls_priority_set_direct(), gnutls_priority_init(); if they are not present and gnutls_set_default_priority() is used, nothing needs to be done. Otherwise check the strings provided by the application. If it contains PSK or SRP do nothing (these applications are not currently covered by the default policy). If not, then replace gnutls_priority_set_direct() with gnutls_set_default_priority(). If gnutls_priority_init() is used instead with a fixed string, replace the string with "@SYSTEM".
+
* GnuTLS applications: If the application provides a configuration file that allows to modify the cipher priority string, ensure that the default is "@SYSTEM". In that case no further action is required. Otherwise, if the application doesn't have a configuration file, ensure that it uses gnutls_set_default_priority(), or that the default priority string is "@SYSTEM". That is, check the sourcec code for gnutls_priority_set_direct(), gnutls_priority_init(); if they are not present and gnutls_set_default_priority() is used, nothing needs to be done. Otherwise check the strings provided by the application. If it contains PSK or SRP do nothing (these applications are not currently covered by the default policy). If not, then replace gnutls_priority_set_direct() with gnutls_set_default_priority(). If gnutls_priority_init() is used instead with a fixed string, replace the string with "@SYSTEM".
  
 
Applications utilizing other cryptographic libraries do not adhere to the system wide crypto policies.
 
Applications utilizing other cryptographic libraries do not adhere to the system wide crypto policies.
  
 
[[Category:Packaging guidelines drafts]]
 
[[Category:Packaging guidelines drafts]]

Revision as of 09:46, 8 August 2014

Enforce system crypto policies

Since Fedora 21 (http://fedoraproject.org/wiki/Changes/CryptoPolicy) there are policies for the usage of SSL and TLS cryptographic protocols that are enforced system-wide. Each application being added in Fedora must be checked to comply with the policies. Currently the policies are restricted to applications using GnuTLS and OpenSSL.

  • OpenSSL applications: If the application provides a configuration file that allows to modify the cipher list string, ensure that the default is "PROFILE=SYSTEM". In that case no further action is required. Otherwise, if the application doesn't have a configuration file, ensure that there is no default cipher list specified, or that the default list is set as "PROFILE=SYSTEM". That is, check the source code for SSL_CTX_set_cipher_list(). If it is not present then nothing needs to be done (the default is used). Otherwise, if that call is present and and provided a fixed string which does not contain PSK or SRP, replace the string with "PROFILE=SYSTEM", or remove the call.
  • GnuTLS applications: If the application provides a configuration file that allows to modify the cipher priority string, ensure that the default is "@SYSTEM". In that case no further action is required. Otherwise, if the application doesn't have a configuration file, ensure that it uses gnutls_set_default_priority(), or that the default priority string is "@SYSTEM". That is, check the sourcec code for gnutls_priority_set_direct(), gnutls_priority_init(); if they are not present and gnutls_set_default_priority() is used, nothing needs to be done. Otherwise check the strings provided by the application. If it contains PSK or SRP do nothing (these applications are not currently covered by the default policy). If not, then replace gnutls_priority_set_direct() with gnutls_set_default_priority(). If gnutls_priority_init() is used instead with a fixed string, replace the string with "@SYSTEM".

Applications utilizing other cryptographic libraries do not adhere to the system wide crypto policies.