This issue tracks the release note for the following Fedora Change:
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
If you own this change, please add additional information here that we should communicate to Fedora users. Specifically, please consider:
Your notes to us do not need to be formally written. We will edit them and add details as needed. This is a way for you to ensure that we know what is critical about your change.
If you want to write this release note, then:
Once you're done with the above, make sure to either commit the relnote to an appropriate section of the Release Notes book, or, if you're not familiar with Git, AsciiDoc, or whatever else, just add it to this issue as a comment and let pbokoc[1] know that you're done with this one and you'd like the note included. Be sure to do this at least one day before the final release (October 29 according to the current schedule). Also make sure to do this even for relnotes that haven't been checked by the change owner.
[0] You can do that by asking the change owner listed on the wiki page; alternatively you can infer it by checking the tracker bug (linked in Wiki) in Bugzilla and looking at its status; see bug comments for details. Ask someone on the mailing list or on IRC if you're not sure. [1] In #fedora-docs on FreeNode (UTC+1 timezone, online mostly during the day on weekdays), or pbokoc @redhat.com if you can't get a hold of me on IRC.
Fedora 33 due to this change disables TLS protocol versions older than 1.2 version, minimum parameter size for Diffie Hellman key exchanges is set to 2048 bits, and use of signatures with SHA1 hash is disabled in the TLS, SSH, and IKE protocols by default.
For that reason the Fedora 33 might no longer communicate with legacy systems that support only the protocol versions, DH parameter size or SHA1 hash in signatures.
If you need to communicate with such systems, please set the system-wide crypto policy to LEGACY with the following command:
update-crypto-policies --set LEGACY
If we would like to extend on the possible workarounds in SSH, comment https://bugzilla.redhat.com/show_bug.cgi?id=1884920#c1 should contain all important information.
Metadata Update from @pbokoc: - Issue assigned to pbokoc
@pbokoc I cannot find this mentioned in the release notes. Wouldn't it make sense to include it so we do not surprise people as below?
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/CM3KTWRWITDS2G6GKQPVQU6JOPC5D4YQ/
Metadata Update from @pbokoc: - Assignee reset
https://www.reddit.com/r/Fedora/comments/jhxbdh/no_ssh_public_key_auth_after_upgrade_to_fedora_33/
this thread can help in defining what users need to know about the change.
The names of algorithms may be confusing, and not telling much for a generic user, but the fact that you may lose the possibility to login into some older systems" will attract attention.
Metadata Update from @bookwar: - Issue assigned to pbokoc
Fixed in #470.
Metadata Update from @pbokoc: - Issue status updated to: Closed (was: Open)
I'm seeing quite a lot of user confusion as a result of this change in various forums like the Reddit post @bookwar mentioned. In retrospect, this change should not have been approved with "Documentation: None / Release Notes: [blank]".
Login to comment on this ticket.