| |
@@ -13,3 +13,35 @@
|
| |
After users install the PARSEC stack on Fedora Workstation edition, the PARSEC daemon will automatically start during the early boot process. On Fedora IoT edition, the stack installation and start of the daemon is done by the OS itself.
|
| |
|
| |
From a hardware perspective, the PARSEC daemon can currently use a Trusted Platform Module 2 (TPM2) chip, Hardware Security Module (HSM) device, or systems that have an Arm TrustZone technology enabled.
|
| |
+
|
| |
+
|
| |
+ == Strong Crypto Settings - Phase 2
|
| |
+
|
| |
+ Fedora 33 disables:
|
| |
+
|
| |
+ * TSL Protocols versions older than 1.2 version, so TSL versions 1.0 and 1.1 are now disabled by default.
|
| |
+ * SHA hash signatures in TLS, SSH and IKE protocols.
|
| |
+ * Diffie Hellman key exchange with parameter size less that 2048 bits.
|
| |
+
|
| |
+ As a result Fedora 33 cannot communicate with legacy systems that support all the disabled entities which are outlined above.
|
| |
+
|
| |
+ If you want to communicate with legacy systems, you may:
|
| |
+
|
| |
+ * Set the system wide crypto policy to LEGACY, by using the command below:
|
| |
+
|
| |
+ [source,shell]
|
| |
+ ----
|
| |
+ # update-crypto-policies --set LEGACY
|
| |
+ ----
|
| |
+
|
| |
+ * Or add the snippet below to your ssh config file (~/.ssh/config)
|
| |
+
|
| |
+ [source,shell]
|
| |
+ ----
|
| |
+ # Host <server-name>
|
| |
+ PubkeyAcceptedKeyTypes ssh-rsa
|
| |
+ ----
|
| |
+
|
| |
+ * The most secure method is to use Elliptic Curve Digital Signature Algorithm (ECDSA) to generate new ssh keys, as the methods above override Fedora 33 new crypto polices rendering your system vulnerable.
|
| |
+
|
| |
+
|
| |
jackiebinya
commented 3 years ago
Adds a release note for Crypto Settings- Phase 2.
Fixes #470