From Fedora Project Wiki
(Still needs verification with releng)
mNo edit summary
 
(7 intermediate revisions by 2 users not shown)
Line 35: Line 35:
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
-->
-->
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1611810 #1611810]


== Detailed Description ==
== Detailed Description ==
Line 46: Line 46:
== Benefit to Fedora ==
== Benefit to Fedora ==


  * This brings the latest TLS protocol support to applications depending on gnutls, such as gnome, rsyslog, wget, samba, etc.
  * This brings the latest TLS protocol support to applications depending on gnutls, when crypto policies are updated for TLS1.3.


== Scope ==
== Scope ==
Line 55: Line 55:
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
* Release engineering: [https://pagure.io/releng/issue/7639]  
<!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.  
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.  
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
Line 111: Line 112:
-->
-->


[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF29]]


<!-- Select proper category, default is Self Contained Change -->
<!-- Select proper category, default is Self Contained Change -->
[[Category:SelfContainedChange]]
[[Category:SelfContainedChange]]
<!-- [[Category:SystemWideChange]] -->
<!-- [[Category:SystemWideChange]] -->

Latest revision as of 19:10, 2 August 2018


GnuTLS enables TLS 1.3 by default

Summary

This change enables TLS 1.3 (draft28) support on the gnutls crypto library.

Owner

  • Name: Nikos Mavrogiannopoulos
  • Email: <your email address so we can contact you, invite you to meetings, etc.>
  • Release notes owner:

Current status

Detailed Description

This change will enable the TLS 1.3 protocol (draft28) on the gnutls library. TLS 1.3 is the latest version of the TLS protocol which addresses few shortcomings of the previous versions. The protocol has already been approved by IETF and is on its final publication stage, with only minor editorial changes expected. The change for gnutls depending is transparent to existing applications.

More information for applications using gnutls:

* https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html

Benefit to Fedora

* This brings the latest TLS protocol support to applications depending on gnutls, when crypto policies are updated for TLS1.3.

Scope

  • Proposal owners:
  • Other developers: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

That change should have no impact on upgrade or compatibility. The TLS 1.3 protocol is designed in a way that does not cause incompatibility issues with existing (and even broken) implementations.

N/A (not a System Wide Change)

How To Test

* Existing work-flows which include secure communications should be tested
* Command line applications which use TLS (e.g., wget, lftp), should be tested against web-sites using TLS 1.3 (e.g., www.google.com)


N/A (not a System Wide Change)

User Experience

That change should not be noticeable by users except for applications which report the connected protocol. Other things users will notice

- Latency on TLS sessions will be reduced
- Performance of establishment of TLS sessions will be improved due to ed25519/x25519 support
- Privacy of TLS sessions will be improved from the perspective of passive eavesdroppers; no client certificate will be sent in the clear
- Transparent rekey of long-running sessions

Dependencies

GNOME, samba, rsyslog, wget, lftp, ...

Contingency Plan

If the expected transparent addition of TLS 1.3 cannot be assured (e.g., important issues are reported), the enablement of TLS1.3 protocol will be postponed for the next fedora release.

  • Contingency mechanism: The gnutls maintainer will not enable TLS1.3 by default in the build
  • Contingency deadline: Fedora 29 beta
  • Blocks release? No; the contingency plan is sufficient and can avoid a release block

Documentation

* https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html
* https://www.gnutls.org/manual/gnutls.html#Upgrading-from-previous-versions

Release Notes