(Original page) |
(Remove reference to Fedora 21.) |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
== Enforcing system crypto policies == | == Enforcing system crypto policies == | ||
In Fedora there are policies for the usage of cryptographic protocols such as TLS that are enforced system-wide. Each application being added in Fedora must be checked to comply with the policies. Currently the policies are restricted to major libraries such as GnuTLS, OpenSSL, NSS, libkrb5, languages such as Java and major applications like OpenSSH and bind. The rpmlint tool will warn when it detects that some action has to be taken; that detection is based on heuristics and limited to C programs, so manual inspection is recommended. Note however, that there are applications which intentionally set weaker, or custom settings on a purpose (e.g., postfix); those need not adhere to the policy. When in doubt, discuss with the [https://lists.fedoraproject.org/mailman/listinfo/security Fedora security team]. | |||
and rpmlint will warn when it detects that some action has to be taken; that detection is based on heuristics and limited to C programs, so manual inspection is recommended. Note however, that there are applications which intentionally set weaker, or custom settings on a purpose (e.g., postfix); those need not adhere to the policy. When in doubt, discuss with the [https://lists.fedoraproject.org/mailman/listinfo/security Fedora security team]. | |||
=== New crypto libraries === | |||
New crypto libraries must comply with the crypto policies to enter Fedora, unless an exception has been granted by Fedora packaging committee, after consulting with Fedora security team. |
Latest revision as of 18:35, 16 August 2018
Enforcing system crypto policies
In Fedora there are policies for the usage of cryptographic protocols such as TLS that are enforced system-wide. Each application being added in Fedora must be checked to comply with the policies. Currently the policies are restricted to major libraries such as GnuTLS, OpenSSL, NSS, libkrb5, languages such as Java and major applications like OpenSSH and bind. The rpmlint tool will warn when it detects that some action has to be taken; that detection is based on heuristics and limited to C programs, so manual inspection is recommended. Note however, that there are applications which intentionally set weaker, or custom settings on a purpose (e.g., postfix); those need not adhere to the policy. When in doubt, discuss with the Fedora security team.
New crypto libraries
New crypto libraries must comply with the crypto policies to enter Fedora, unless an exception has been granted by Fedora packaging committee, after consulting with Fedora security team.