diff --git a/backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch b/backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch new file mode 100644 index 0000000000000000000000000000000000000000..21390a771a5da404a563b8ad93e35a2991f9cb22 --- /dev/null +++ b/backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch @@ -0,0 +1,56 @@ +From c40cedee6e5225dc72e590f9ff0282d876a2e5d5 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 2 Jul 2020 15:40:01 +0200 +Subject: [PATCH] Describe some of the quirks of the back-end config + generators. + +--- + crypto-policies.7.txt | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/crypto-policies.7.txt b/crypto-policies.7.txt +index 0971935..2b583b8 100644 +--- a/crypto-policies.7.txt ++++ b/crypto-policies.7.txt +@@ -277,7 +277,7 @@ COMMANDS + NOTES + ----- + +-*Exceptions:* ++*Exceptions* + + * *Go-language* applications do not yet follow the system-wide policy. + * *GnuPG-2* application does not follow the system-wide policy. +@@ -323,6 +323,29 @@ of individual applications: + * all *ECC* curves incompatible with *TLS 1.3*, including secp256k1 + * *IKEv1* + ++*Notable irregularities in the individual configuration generators* ++ ++* *OpenSSL*: The minimum length of the keys and some other parameters ++are enforced by the @SECLEVEL value which does not provide a fine ++granularity. The list of *TLS* ciphers is not generated as an exact list ++but by subtracting from all the supported ciphers for the enabled key ++exchange methods. For that reason there is no way to disable a random cipher. ++In particular all *AES-128* ciphers are disabled if the *AES-128-GCM* is not ++present in the list; all *AES-256* ciphers are disabled if the *AES-256-GCM* ++is not present. The *CBC* ciphers are disabled if there isn't *HMAC-SHA1* ++in the hmac list and *AES-256-CBC* in the cipher list. To disable the *CCM* ++ciphers both *AES-128-CCM* and *AES-256-CCM* must not be present in the cipher ++list. ++ ++* *GnuTLS*: The minimum length of the keys and some other parameters ++are enforced by min-verification-profile setting in the *GnuTLS* configuration ++file which does not provide fine granularity. ++ ++* *OpenSSH*: *DH* group 1 is always disabled on server even if the policy ++allows 1024 bit *DH* groups in general. The OpenSSH configuration option ++HostKeyAlgorithms is set only for the *SSH* server as otherwise the ++handling of the existing known hosts entries would be broken on client. ++ + HISTORY + ------- + +-- +2.33.0 + diff --git a/crypto-policies.spec b/crypto-policies.spec index 64014e68ae8f8e2debf7fdc9fe6232f933c32bf1..fb8b09136ba8d66a394c97c55240a754a05304f1 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -4,7 +4,7 @@ Name: crypto-policies Version: %{git_date} -Release: 2.git%{git_commit_hash} +Release: 3.git%{git_commit_hash} Summary: Crypto policies package for Fedora License: LGPLv2+ @@ -17,6 +17,7 @@ Source0: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archiv Patch0: backport-rewrite-test-nss-pl-in-python.patch Patch1: backport-policygenerators-nss-output-sigalgs-nss-3-59.patch Patch2: crypto-policies-tests-outputs-NEXT-nss-output-sigalgs-nss-3-59.patch +Patch3: backport-Describe-some-of-the-quirks-of-the-back-end-config-g.patch BuildArch: noarch BuildRequires: asciidoc @@ -148,6 +149,9 @@ make check %{?_smp_mflags} %license COPYING.LESSER %changelog +* Thu Oct 20 2022 yixiangzhike - 20200619-3.git781bbd4 +- backport upstream patch to add more notes for crypto-policies exceptions + * Fri Jan 7 2022 yixiangzhike - 20200619-2.git781bbd4 - add new algorithms in nss's config file to support nss >= 3.59 (ECDSA RSA-PSS RSA-PKCS)