Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1179220
Please convert to use the system's crypto policy for SSL and TLS: https://fedoraproject.org/wiki/Packaging:CryptoPolicies If this program is compiled against gnutls, change the default priority string to be "@SYSTEM" or to use gnutls_set_default_priority(). If this program is compiled against openssl, and there is no default cipher list specified, you don't need to modify it. Otherwise replace the default cipher list with "PROFILE=SYSTEM". In both cases please verify that the application uses the system's crypto policies. If the package is already using the system-wide crypto policies, or it does not use SSL or TLS, no action is required, the bug can simply be closed.
FreeIPA does neither use OpenSSL nor GnuTLS for SSL yet. I removed the ssl module in #5068. It looks like we don't have to do anything for now. I've asked the original reporter on Bugzilla. Let's see what he has to say about NSS.
I also did some digging because I wasn't familiar with the feature. The profile feature is not part of OpenSSL. It is part of a Fedora patch. The feature works only on Fedora and maybe on other Red Hat systems. I haven't checked RHEL yet.
http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-1.0.1h-system-cipherlist.patch?id=646646611547dd7072b0562ed5f27861fbb12f48
http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl.spec?id=646646611547dd7072b0562ed5f27861fbb12f48#n275
--- Comment #7 from Nikos Mavrogiannopoulos --- NSS cannot be configured to use the system wide policies. In that case that bug should depend on: https://bugzilla.redhat.com/show_bug.cgi?id=1157720
FreeIPA indirectly uses OpenSSL through Dogtag PKI. Dogtag makes use of the requests library, which in turn depeneds on Python's ssl module. As of now there is no way to configure requests' cipher list.
During processing of remaining tickets in 4.2 Backlog, this ticket was found as suitable to be fixed in the nearest bugfixing branch - which is 4.2.x.
BTW This is also relevant to DNSSEC. BIND integration is already done in Fedora, so we can easily backport it (if we are allowed to backport relevant parts of system wide policies).
See BIND bug https://bugzilla.redhat.com/show_bug.cgi?id=1179925
FreeIPA 4.2.1 was released, moving to 4.2.x.
Metadata Update from @mkosek: - Issue assigned to cheimes - Issue set to the milestone: FreeIPA 4.5 backlog
I changed the target version to 4.7 since it's technically a new feature.
https://github.com/freeipa/freeipa/pull/1561 implements crypto policy for bind and HTTPS. I think it doesn't update an existing named.conf. I'll figure that out later.
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1561 (was: 0) - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.5 backlog)
master:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.