| |
@@ -17,3 +17,33 @@
|
| |
[[sect-security-krb5-appl]]
|
| |
=== krb5-appl Packages Removed
|
| |
The `krb5-appl-clients` and `krb5-appl-servers` packages are considered to be obsolete and have been removed from Fedora. These packages provided Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers. Users should to move to more modern security tools, such as openssh.
|
| |
+
|
| |
+
|
| |
+ [#sect-defauilt-ciopher-in-openvpn-changed-to-256-bit-aes-gcm]
|
| |
+ === Default cipher in OpenVPN changed to 256-bit AES-GCM
|
| |
+
|
| |
+ OpenVPN configurations utilizing the newer `openvpn-server@.service` unit file now use a stronger cipher for the VPN tunnel by default. The default is changed from the Blowfish algorithm using 128-bit keys to the newer AES-GCM algorithm with 256-bit keys.
|
| |
+
|
| |
+ To ensure backwards compatibility, this new default also enables clients still using the not recommended Blowfish algorithm to connect by utilizing the `--ncp-ciphers` feature being available in OpenVPN{nbsp}2.4.
|
| |
+
|
| |
+ To facilitate an easy migration path away from Blowfish for clients not supporting AES-GCM, these clients can now add or change the `--cipher` option in the client configuration to either `AES-256-CBC` or `AES-128-CBC` without needing to do any other server changes.
|
| |
+
|
| |
+
|
| |
+ [#sect-openshh-server-now-follows-system-wide-crypto-policies]
|
| |
+ === OpenSSH Server now follows system-wide crypto policies
|
| |
+
|
| |
+ Fedora defines system-wide crypto policies, which are followed by cryptographic libraries and tools, including OpenSSH clients. This allows administrators to use different system-wide security levels. With this update, OpenSSH Server adheres to these system-wide crypto policies, too.
|
| |
+
|
| |
+ This modification is implemented using a script, which places configuration generated according to currently defined crypto policies into the OpenSSH Server's configuration file. The script is executed by systemd when the `sshd` service is started. It is, therefore, necessary to restart the `sshd` service for changes to crypto-policy configuration to take effect.
|
| |
+
|
| |
+
|
| |
+ [#sect-ssh-1-support-removed-from-openssh]
|
| |
+ === SSH-1 support removed from OpenSSH
|
| |
+
|
| |
+ The SSH-1 protocol is obsolete and no longer considered secure. As such, it is not supported by the default OpenSSH client binaries packaged for Fedora. This changes removes support for the SHH-1 protocol altogether by removing the *openssh-clients-ssh1* subpackage.
|
| |
+
|
| |
+
|
| |
+ [#sect-libcurl-switches-to-using-openssl]
|
| |
+ === libcurl switches to using OpenSSL
|
| |
+
|
| |
+ The *libcurl* library now uses OpenSSL for TLS and crypto (instead of NSS). TLS certificates and keys stored in the NSS database need to be exported to files for *libcurl* to be able to load them. See link:http://pki.fedoraproject.org/wiki/NSS_Database[http://pki.fedoraproject.org/wiki/NSS_Database] for instructions on how to work with the NSS database.
|
| |
Release note for Issue #26 'aarch64 SBC disk images'.