crypto-policies

Systemwide crypto policies

Go to file

Alexander Sosedkin 7c076748f3 Update from upstream: scoped policies, gnutls allowlisting, ... implement scoped policies, e.g., cipher@SSH = ... implement algorithm globbing, e.g., cipher@SSH = --CBC deprecate derived properties: tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec deprecate unscoped form of protocol property openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes libssh: respect ssh_certs restrict FIPS:OSPP further improve Python 3.10 compatibility update documentation expand upstream test coverage FUTURE: disable CBC ciphers for all backends but krb5 openssl: LEGACY must have SECLEVEL=1, enabling SHA1 disable DHE-DSS in LEGACY bump LEGACY key size requirements from 1023 to 1024 add javasystem backend ssh: condition ecdh-sha2-nistp384 on SECP384R1 set %verify(not mode) for backend sometimes-symlinks-sometimes-not gnutls: use allowlisting Resolves: bz1975854	2021-06-28 20:23:25 +02:00
.gitignore	RHEL 9.0.0 Alpha bootstrap	2020-10-14 23:21:50 +02:00
crypto-policies.spec	Update from upstream: scoped policies, gnutls allowlisting, ...	2021-06-28 20:23:25 +02:00
sources	Update from upstream: scoped policies, gnutls allowlisting, ...	2021-06-28 20:23:25 +02:00

Alexander Sosedkin 7c076748f3 Update from upstream: scoped policies, gnutls allowlisting, ...

implement scoped policies, e.g., cipher@SSH = ...
implement algorithm globbing, e.g., cipher@SSH = -*-CBC
deprecate derived properties:
tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec
deprecate unscoped form of protocol property
openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS
openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes
libssh: respect ssh_certs
restrict FIPS:OSPP further
improve Python 3.10 compatibility
update documentation
expand upstream test coverage
FUTURE: disable CBC ciphers for all backends but krb5
openssl: LEGACY must have SECLEVEL=1, enabling SHA1
disable DHE-DSS in LEGACY
bump LEGACY key size requirements from 1023 to 1024
add javasystem backend
*ssh: condition ecdh-sha2-nistp384 on SECP384R1
set %verify(not mode) for backend sometimes-symlinks-sometimes-not
gnutls: use allowlisting

Resolves: bz1975854

2021-06-28 20:23:25 +02:00

.gitignore

RHEL 9.0.0 Alpha bootstrap

2020-10-14 23:21:50 +02:00

crypto-policies.spec

Update from upstream: scoped policies, gnutls allowlisting, ...

2021-06-28 20:23:25 +02:00

sources

Update from upstream: scoped policies, gnutls allowlisting, ...

2021-06-28 20:23:25 +02:00