Line 108: | Line 108: | ||
"With this change a Fedora system will have a consistent way of setting a default security profile for all NSS-depending applications. Overall this brings the NSS applications in par with the OpenSSL and GnuTLS with respect to system-wide policy adherence." | "With this change a Fedora system will have a consistent way of setting a default security profile for all NSS-depending applications. Overall this brings the NSS applications in par with the OpenSSL and GnuTLS with respect to system-wide policy adherence." | ||
[[Category: | [[Category:ChangeReadyForFesco]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> |
Revision as of 08:21, 27 May 2016
NSS enforces the system-wide crypto policy
Summary
As it is now, the System-wide crypto policy in F24 is only enforced by the OpenSSL and GnuTLS TLS libraries. To harmonize crypto in Fedora, NSS is enhanced to respect the settings of the system-wide crypto policy as well.
Owner
- Name: Nikos Mavrogiannopoulos
- Email: nmav@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 25
- Last updated: 2016-05-27
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
As it is now, the System-wide crypto policy in F24 is only enforced by the OpenSSL and GnuTLS TLS libraries. To harmonize crypto in Fedora, NSS is enhanced to respect the settings of the system-wide crypto policy as well.
After that change the administrator should be assured that any application that uses NSS will follow a policy that adheres to the configured profile.
Benefit to Fedora
With this change a Fedora system will have a consistent way of setting a default security profile for all NSS-depending applications. Overall this brings the NSS applications in par with the OpenSSL and GnuTLS with respect to system-wide policy adherence.
Scope
- Proposal owners:
The change requires modifying the NSS library to read a policy generated by the crypto-policy package.
- Other developers:
There are no required actions by other developers. The change requires only targeted changes to NSS.
- Release engineering:
No actions required.
- Policies and guidelines:
- The packaging guidelines for crypto policies need to be modified to include NSS in the list of libraries supporting the policies.
- The text "(note that adherence to the system-wide policies is work in progress for NSS libraries)" must be removed
- The text "Currently the policies are restricted to applications using GnuTLS and OpenSSL" must be changed to include NSS.
- Trademark approval:
N/A (not needed for this Change)
Upgrade/compatibility impact
Connection to legacy systems with NSS-applications may no longer be possible. This can be worked around by the administrator by switching from the DEFAULT to LEGACY crypto policy.
How To Test
Testing good operation
Test the good operation of NSS-linked applications (e.g., firefox, curl) to connect to various sites on the Internet. Test the good operation of evolution (mail - S/MIME).
Testing application of settings
- Setup an HTTPS server with a legacy protocol that is disabled in F25 system wide policy (e.g., RC4, SSL 3.0)
- Use an NSS-linked application to connect to that server (e.g., firefix, curl)
- The connection should fail on F25 (may have succeeded on previous versions - something that depends on the application specific policy).
User Experience
Given that the system wide policy does disable obsolete ciphers and protocols, there should be no user noticeable result.
Dependencies
Several. Use "repoquery --whatrequires nss" for the dependency listing.
Contingency Plan
- Contingency mechanism:
If the changes to NSS are not complete on time then NSS will remain the same without respecting the crypto policies in Fedora 25.
- Contingency deadline: F25 alpha
- Blocks release? Yes
- Blocks product? N/A
Documentation
Release Notes
A proposal of notes is the following.
The release notes originally used in Crypto policies changes should be used, in addition to: "With this change a Fedora system will have a consistent way of setting a default security profile for all NSS-depending applications. Overall this brings the NSS applications in par with the OpenSSL and GnuTLS with respect to system-wide policy adherence."