Alexander Sosedkin
|
5f8e3a70f8
|
Update from upstream (group order):
- policies: restore group order to old OpenSSL default order
Resolves: RHEL-591
|
2023-06-14 17:09:40 +02:00 |
|
Alexander Sosedkin
|
2b21b5d600
|
Update from upstream (openssl Groups and Brainpool curves):
- openssl: specify Groups explicitly
- openssl: add support for Brainpool curves
Resolves: bz2193324
|
2023-05-05 11:51:46 +02:00 |
|
Alexander Sosedkin
|
681b7d48a9
|
Update from upstream (new bind algorithms):
- bind: expand the list of disableable algorithms
Resolves: bz2152635
|
2022-12-15 10:31:48 +01:00 |
|
Alexander Sosedkin
|
a56329e5d8
|
Update from upstream (RequiredRSASize):
- openssh: rename RSAMinSize option to RequiredRSASize
Resolves: bz2129036
|
2022-10-03 17:24:09 +02:00 |
|
Alexander Sosedkin
|
a9d73e9782
|
Update from upstream (RSAMinSize):
- openssh: add RSAMinSize option following min_rsa_size
Resolves: bz2102774
|
2022-08-15 11:39:21 +02:00 |
|
Alexander Sosedkin
|
a4f00ed857
|
Update from upstream (bind ED25519/ED448):
- bind: control ED25519/ED448
Resolves: bz2077889
|
2022-04-27 11:42:38 +02:00 |
|
Alexander Sosedkin
|
9ee1288970
|
Update from upstream (DNSSEC, SNTRUP):
- DEFAULT: drop DNSSEC SHA-1 exception
- openssh: add support for sntrup761x25519-sha512@openssh.com
Resolves: bz2070230
Resolves: bz2070604
|
2022-04-04 15:05:56 +02:00 |
|
Alexander Sosedkin
|
8fed911d53
|
Update from upstream (AD-SUPPORT, rh-allow-sha1-signatures, ...):
- openssl: allow SHA-1 signatures with rh-allow-sha1-signatures in LEGACY
- update AD-SUPPORT, move RC4 enctype enabling to AD-SUPPORT-LEGACY
- fips-mode-setup: catch more inconsistencies, clarify --check
Resolves: bz2055796
Resolves: bz2056676
|
2022-02-23 17:49:50 +01:00 |
|
Alexander Sosedkin
|
e69bea495b
|
Update from upstream (SHAKE, FIPS changes):
- gnutls: enable SHAKE, needed for Ed448
- fips-mode-setup: improve handling FIPS plus subpolicies
- FIPS: disable SHA-1 HMAC
- FIPS: disable CBC ciphers except in Kerberos
Resolves: bz2005021
Resolves: bz2026657
Resolves: bz2006843
Resolves: bz2006844
|
2022-02-03 18:49:41 +01:00 |
|
Alexander Sosedkin
|
b0d95fe7a8
|
Update from upstream (SECLEVEL=2@LEGACY, whitespace):
- openssl: revert to SECLEVEL=2 in LEGACY
- openssl: add newlines at the end of the output
Resolves: bz2035249
|
2022-02-01 18:05:39 +01:00 |
|
Alexander Sosedkin
|
80e3dac1e0
|
Update from upstream (OSPP, zipl):
- OSPP: relax -ECDSA-SHA2-512, -FFDHE-*
- fips-mode-setup, fips-finish-install: call zipl more often (s390x-specific)
Resolves: bz2013195
|
2021-11-15 21:02:45 +01:00 |
|
Alexander Sosedkin
|
9d96f6f88f
|
Update from upstream: openssl Chacha20, pylint 2.11
- openssl: fix disabling ChaCha20
- update for pylint 2.11
Resolves: bz2004207
|
2021-09-22 20:32:29 +02:00 |
|
Alexander Sosedkin
|
9699a7bbb8
|
Update from upstream: reorder gnutls sigalgs, fix --check
- gnutls: reorder ECDSA-SECPMMMR1-SHANNN together with ECDSA-SHANNN
- fix several issues with update-crypto-policies --check
Resolves: bz1994097
|
2021-09-14 15:46:26 +02:00 |
|
Alexander Sosedkin
|
5466f912c0
|
Update from upstream: gnutls sigalgs, check
- gnutls: explicitly enable ECDSA-SECPNNNR1-SHANNN
- packaging: adapt to the RHEL-9 %check-time testing tools availability
Resolves: bz1979200, bz1978841
|
2021-07-07 15:59:15 +02:00 |
|
Alexander Sosedkin
|
7c076748f3
|
Update from upstream: scoped policies, gnutls allowlisting, ...
implement scoped policies, e.g., cipher@SSH = ...
implement algorithm globbing, e.g., cipher@SSH = -*-CBC
deprecate derived properties:
tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec
deprecate unscoped form of protocol property
openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS
openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes
libssh: respect ssh_certs
restrict FIPS:OSPP further
improve Python 3.10 compatibility
update documentation
expand upstream test coverage
FUTURE: disable CBC ciphers for all backends but krb5
openssl: LEGACY must have SECLEVEL=1, enabling SHA1
disable DHE-DSS in LEGACY
bump LEGACY key size requirements from 1023 to 1024
add javasystem backend
*ssh: condition ecdh-sha2-nistp384 on SECP384R1
set %verify(not mode) for backend sometimes-symlinks-sometimes-not
gnutls: use allowlisting
Resolves: bz1975854
|
2021-06-28 20:23:25 +02:00 |
|
Alexander Sosedkin
|
b15b23030d
|
Tighten policies for RHEL-9
|
2021-02-18 18:38:39 +01:00 |
|
DistroBaker
|
705dc9cc64
|
Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/crypto-policies.git#b596eb5600a9e299c0fb3d00b1f65993be10bc0a
|
2021-02-13 13:15:21 +00:00 |
|
DistroBaker
|
2f238bbfb1
|
Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/crypto-policies.git#22c6077e4ea098bceea92dd8c92b8ce9ff753d8c
|
2021-01-18 19:06:23 +00:00 |
|
Petr Šabata
|
a435c5ea66
|
RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/crypto-policies#396bae93ee31b0a1d828f834fcdd82e0706ffddc
|
2020-10-14 23:21:50 +02:00 |
|