#600 Adds Crypto Settings release note
Merged 7 months ago by pbokoc. Opened 7 months ago by jackiebinya.
fedora-docs/ jackiebinya/release-notes crypto-settings  into  f33

@@ -13,3 +13,35 @@ 

  After users install the PARSEC stack on Fedora Workstation edition, the PARSEC daemon will automatically start during the early boot process. On Fedora IoT edition, the stack installation and start of the daemon is done by the OS itself.

  

  From a hardware perspective, the PARSEC daemon can currently use a Trusted Platform Module 2 (TPM2) chip, Hardware Security Module (HSM) device, or systems that have an Arm TrustZone technology enabled.

+ 

+ 

+ == Strong Crypto Settings - Phase 2

+ 

+ Fedora 33 disables:

+ 

+ * TSL Protocols versions older than 1.2 version, so TSL versions 1.0 and 1.1 are now disabled by default.

+ * SHA hash signatures in TLS, SSH and IKE protocols.

+ * Diffie Hellman key exchange with parameter size less that 2048 bits.

+ 

+ As a result Fedora 33 cannot communicate with legacy systems that support all the disabled entities which are outlined above.

+ 

+ If you want to communicate with legacy systems, you may:

+ 

+ * Set the system wide crypto policy to LEGACY, by using the command below:

+ 

+ [source,shell]

+ ----    

+ # update-crypto-policies --set LEGACY

+ ----

+ 

+ * Or add the snippet below to your ssh config file (~/.ssh/config)

+ 

+ [source,shell]

+ ----    

+ # Host <server-name>

+     PubkeyAcceptedKeyTypes ssh-rsa

+ ----

+ 

+ * The most secure method is to use Elliptic Curve Digital Signature Algorithm (ECDSA) to generate new ssh keys, as the methods above override Fedora 33 new crypto polices rendering your system vulnerable.

+ 

+ 

Adds a release note for Crypto Settings- Phase 2.

Fixes #470

1 new commit added

  • Fixes typo
7 months ago

1 new commit added

  • Fixes wording
7 months ago

Pull-Request has been merged by pbokoc

7 months ago
Metadata