https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/#_cc_applications
says that I need to patch application (if it does not have config
file) to use "PROFILE=SYSTEM" as the argument to the cipher list.
However, when I was looking into the library which uses this function
(rust-openssl), I found following piece of code:
/// Creates a new builder for TLS connections.
///
/// The default configuration is subject to change, and is
currently derived from Python.
pub fn builder(method: SslMethod) -> Result<SslConnectorBuilder,
ErrorStack> {
let mut ctx = ctx(method)?;
ctx.set_default_verify_paths()?;
ctx.set_cipher_list(
"DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK",
)?;
setup_verify(&mut ctx);
Ok(SslConnectorBuilder(ctx))
}
https://github.com/sfackler/rust-openssl/blob/9ba802ad437447ac71f99d89653b35072bf5ccd9/openssl/src/ssl/connector.rs#L62-L74
Then I looked at CPython and found that it does this:
/* Ignored in SSLContext constructor, only used to as
_ssl.DEFAULT_CIPHER_STRING */
#define PY_SSL_DEFAULT_CIPHER_STRING SSL_DEFAULT_CIPHER_LIST
And then it just ignores call to SSL_CTX_set_cipher_list().
So my question would be: Should I patch rust-openssl to use
PROFILE=DEFAULT or I should just remove that call entirely? It is not
very clear to me from the guidelines. Also since I want to get this
upstream, which option is more portable?
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
