rpms/crypto-policies
7
0
Fork 0
Code Issues Pull Requests Releases Activity
24 Commits 7 Branches 48 Tags 692 KiB
a56329e5d8
Commit Graph

16 Commits

Author SHA1 Message Date
Alexander Sosedkin
a56329e5d8 Update from upstream (RequiredRSASize): 
- openssh: rename RSAMinSize option to RequiredRSASize

Resolves: bz2129036
 2022-10-03 17:24:09 +02:00
Alexander Sosedkin
a9d73e9782 Update from upstream (RSAMinSize): 
- openssh: add RSAMinSize option following min_rsa_size

Resolves: bz2102774
 2022-08-15 11:39:21 +02:00
Alexander Sosedkin
a4f00ed857 Update from upstream (bind ED25519/ED448): 
- bind: control ED25519/ED448

Resolves: bz2077889
 2022-04-27 11:42:38 +02:00
Alexander Sosedkin
9ee1288970 Update from upstream (DNSSEC, SNTRUP): 
- DEFAULT: drop DNSSEC SHA-1 exception
- openssh: add support for sntrup761x25519-sha512@openssh.com

Resolves: bz2070230
Resolves: bz2070604
 2022-04-04 15:05:56 +02:00
Alexander Sosedkin
8fed911d53 Update from upstream (AD-SUPPORT, rh-allow-sha1-signatures, ...): 
- openssl: allow SHA-1 signatures with rh-allow-sha1-signatures in LEGACY
- update AD-SUPPORT, move RC4 enctype enabling to AD-SUPPORT-LEGACY
- fips-mode-setup: catch more inconsistencies, clarify --check

Resolves: bz2055796
Resolves: bz2056676
 2022-02-23 17:49:50 +01:00
Alexander Sosedkin
e69bea495b Update from upstream (SHAKE, FIPS changes): 
- gnutls: enable SHAKE, needed for Ed448
- fips-mode-setup: improve handling FIPS plus subpolicies
- FIPS: disable SHA-1 HMAC
- FIPS: disable CBC ciphers except in Kerberos

Resolves: bz2005021
Resolves: bz2026657
Resolves: bz2006843
Resolves: bz2006844
 2022-02-03 18:49:41 +01:00
Alexander Sosedkin
b0d95fe7a8 Update from upstream (SECLEVEL=2@LEGACY, whitespace): 
- openssl: revert to SECLEVEL=2 in LEGACY
- openssl: add newlines at the end of the output

Resolves: bz2035249
 2022-02-01 18:05:39 +01:00
Alexander Sosedkin
80e3dac1e0 Update from upstream (OSPP, zipl): 
- OSPP: relax -ECDSA-SHA2-512, -FFDHE-*
- fips-mode-setup, fips-finish-install: call zipl more often (s390x-specific)

Resolves: bz2013195
 2021-11-15 21:02:45 +01:00
Alexander Sosedkin
9d96f6f88f Update from upstream: openssl Chacha20, pylint 2.11 
- openssl: fix disabling ChaCha20
- update for pylint 2.11

Resolves: bz2004207
 2021-09-22 20:32:29 +02:00
Alexander Sosedkin
9699a7bbb8 Update from upstream: reorder gnutls sigalgs, fix --check 
- gnutls: reorder ECDSA-SECPMMMR1-SHANNN together with ECDSA-SHANNN
- fix several issues with update-crypto-policies --check

Resolves: bz1994097
 2021-09-14 15:46:26 +02:00
Alexander Sosedkin
5466f912c0 Update from upstream: gnutls sigalgs, check 
- gnutls: explicitly enable ECDSA-SECPNNNR1-SHANNN
- packaging: adapt to the RHEL-9 %check-time testing tools availability

Resolves: bz1979200, bz1978841
 2021-07-07 15:59:15 +02:00
Alexander Sosedkin
7c076748f3 Update from upstream: scoped policies, gnutls allowlisting, ... 
implement scoped policies, e.g., cipher@SSH = ...
implement algorithm globbing, e.g., cipher@SSH = -*-CBC
deprecate derived properties:
tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec
deprecate unscoped form of protocol property
openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS
openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes
libssh: respect ssh_certs
restrict FIPS:OSPP further
improve Python 3.10 compatibility
update documentation
expand upstream test coverage
FUTURE: disable CBC ciphers for all backends but krb5
openssl: LEGACY must have SECLEVEL=1, enabling SHA1
disable DHE-DSS in LEGACY
bump LEGACY key size requirements from 1023 to 1024
add javasystem backend
*ssh: condition ecdh-sha2-nistp384 on SECP384R1
set %verify(not mode) for backend sometimes-symlinks-sometimes-not
gnutls: use allowlisting

Resolves: bz1975854
 2021-06-28 20:23:25 +02:00
Alexander Sosedkin
b15b23030d Tighten policies for RHEL-9 2021-02-18 18:38:39 +01:00
DistroBaker
705dc9cc64 Merged update from upstream sources 
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/crypto-policies.git#b596eb5600a9e299c0fb3d00b1f65993be10bc0a
 2021-02-13 13:15:21 +00:00
DistroBaker
2f238bbfb1 Merged update from upstream sources 
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/crypto-policies.git#22c6077e4ea098bceea92dd8c92b8ce9ff753d8c
 2021-01-18 19:06:23 +00:00
Petr Šabata
a435c5ea66 RHEL 9.0.0 Alpha bootstrap 
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/crypto-policies#396bae93ee31b0a1d828f834fcdd82e0706ffddc
 2020-10-14 23:21:50 +02:00