Commit Graph

12 Commits

Author SHA1 Message Date
Alexander Sosedkin
8fed911d53 Update from upstream (AD-SUPPORT, rh-allow-sha1-signatures, ...):
- openssl: allow SHA-1 signatures with rh-allow-sha1-signatures in LEGACY
- update AD-SUPPORT, move RC4 enctype enabling to AD-SUPPORT-LEGACY
- fips-mode-setup: catch more inconsistencies, clarify --check

Resolves: bz2055796
Resolves: bz2056676
2022-02-23 17:49:50 +01:00
Alexander Sosedkin
e69bea495b Update from upstream (SHAKE, FIPS changes):
- gnutls: enable SHAKE, needed for Ed448
- fips-mode-setup: improve handling FIPS plus subpolicies
- FIPS: disable SHA-1 HMAC
- FIPS: disable CBC ciphers except in Kerberos

Resolves: bz2005021
Resolves: bz2026657
Resolves: bz2006843
Resolves: bz2006844
2022-02-03 18:49:41 +01:00
Alexander Sosedkin
b0d95fe7a8 Update from upstream (SECLEVEL=2@LEGACY, whitespace):
- openssl: revert to SECLEVEL=2 in LEGACY
- openssl: add newlines at the end of the output

Resolves: bz2035249
2022-02-01 18:05:39 +01:00
Alexander Sosedkin
80e3dac1e0 Update from upstream (OSPP, zipl):
- OSPP: relax -ECDSA-SHA2-512, -FFDHE-*
- fips-mode-setup, fips-finish-install: call zipl more often (s390x-specific)

Resolves: bz2013195
2021-11-15 21:02:45 +01:00
Alexander Sosedkin
9d96f6f88f Update from upstream: openssl Chacha20, pylint 2.11
- openssl: fix disabling ChaCha20
- update for pylint 2.11

Resolves: bz2004207
2021-09-22 20:32:29 +02:00
Alexander Sosedkin
9699a7bbb8 Update from upstream: reorder gnutls sigalgs, fix --check
- gnutls: reorder ECDSA-SECPMMMR1-SHANNN together with ECDSA-SHANNN
- fix several issues with update-crypto-policies --check

Resolves: bz1994097
2021-09-14 15:46:26 +02:00
Alexander Sosedkin
5466f912c0 Update from upstream: gnutls sigalgs, check
- gnutls: explicitly enable ECDSA-SECPNNNR1-SHANNN
- packaging: adapt to the RHEL-9 %check-time testing tools availability

Resolves: bz1979200, bz1978841
2021-07-07 15:59:15 +02:00
Alexander Sosedkin
7c076748f3 Update from upstream: scoped policies, gnutls allowlisting, ...
implement scoped policies, e.g., cipher@SSH = ...
implement algorithm globbing, e.g., cipher@SSH = -*-CBC
deprecate derived properties:
tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec
deprecate unscoped form of protocol property
openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS
openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes
libssh: respect ssh_certs
restrict FIPS:OSPP further
improve Python 3.10 compatibility
update documentation
expand upstream test coverage
FUTURE: disable CBC ciphers for all backends but krb5
openssl: LEGACY must have SECLEVEL=1, enabling SHA1
disable DHE-DSS in LEGACY
bump LEGACY key size requirements from 1023 to 1024
add javasystem backend
*ssh: condition ecdh-sha2-nistp384 on SECP384R1
set %verify(not mode) for backend sometimes-symlinks-sometimes-not
gnutls: use allowlisting

Resolves: bz1975854
2021-06-28 20:23:25 +02:00
Alexander Sosedkin
b15b23030d Tighten policies for RHEL-9 2021-02-18 18:38:39 +01:00
DistroBaker
705dc9cc64 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/crypto-policies.git#b596eb5600a9e299c0fb3d00b1f65993be10bc0a
2021-02-13 13:15:21 +00:00
DistroBaker
2f238bbfb1 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/crypto-policies.git#22c6077e4ea098bceea92dd8c92b8ce9ff753d8c
2021-01-18 19:06:23 +00:00
Petr Šabata
a435c5ea66 RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/crypto-policies#396bae93ee31b0a1d828f834fcdd82e0706ffddc
2020-10-14 23:21:50 +02:00