From Fedora Project Wiki
(Original page)
 
(Proposed new page)
Line 1: Line 1:
 
== Enforcing system crypto policies ==
 
== Enforcing system crypto policies ==
Since Fedora 21 ([[Changes/CryptoPolicy]]) there are policies for the usage of SSL and TLS cryptographic protocols that are enforced system-wide. Each application being added in Fedora must be checked to comply with the policies. Currently the policies are restricted to applications using GnuTLS and OpenSSL,
+
Since Fedora 21 ([[Changes/CryptoPolicy]]) there are policies for the usage of cryptographic protocols such as TLS that are enforced system-wide. Each application being added in Fedora must be checked to comply with the policies. Currently the policies are restricted to major libraries such as GnuTLS, OpenSSL, NSS, libkrb5, languages such as Java and major applications like OpenSSH and bind. The rpmlint tool will warn when it detects that some action has to be taken; that detection is based on heuristics and limited to C programs, so manual inspection is recommended. Note however, that there are applications which intentionally set weaker, or custom settings on a purpose (e.g., postfix); those need not adhere to the policy. When in doubt, discuss with the [https://lists.fedoraproject.org/mailman/listinfo/security Fedora security team].
and rpmlint will warn when it detects that some action has to be taken; that detection is based on heuristics and limited to C programs, so manual inspection is recommended. Note however, that there are applications which intentionally set weaker, or custom settings on a purpose (e.g., postfix); those need not adhere to the policy. When in doubt, discuss with the [https://lists.fedoraproject.org/mailman/listinfo/security Fedora security team].
+
 
 +
=== New crypto libraries ===
 +
New crypto libraries must comply with the crypto policies to enter Fedora, unless an exception has been granted by Fedora packaging committee, after consulting with Fedora security team.

Revision as of 18:30, 16 August 2018

Enforcing system crypto policies

Since Fedora 21 (Changes/CryptoPolicy) there are policies for the usage of cryptographic protocols such as TLS that are enforced system-wide. Each application being added in Fedora must be checked to comply with the policies. Currently the policies are restricted to major libraries such as GnuTLS, OpenSSL, NSS, libkrb5, languages such as Java and major applications like OpenSSH and bind. The rpmlint tool will warn when it detects that some action has to be taken; that detection is based on heuristics and limited to C programs, so manual inspection is recommended. Note however, that there are applications which intentionally set weaker, or custom settings on a purpose (e.g., postfix); those need not adhere to the policy. When in doubt, discuss with the Fedora security team.

New crypto libraries

New crypto libraries must comply with the crypto policies to enter Fedora, unless an exception has been granted by Fedora packaging committee, after consulting with Fedora security team.