On 8/25/21 4:54 AM, Alexander Sosedkin wrote:
It's not ideal if one obsolete website forces downgrading the security
potentially for all the connections. I hope 5) is addressing that.
That's something apps and only apps can handle.
Well, but if the system policy says that TLS1.0 is banned, the only way
for the app to downgrade would be if it had its own TLS stack, right?
I do realize that the current policy mechanism is not designed for
narrow deviations, I am just pointing out that it's not ideal because in
practice people downgrade because they need narrow deviations for
specific connections, and as you well know, relaxing the rules for all
connections opens the door to downgrade attacks even on the connections
that are capable of TLS2.0.
I am asking if there is another way, for instance by having a
per-interface policies, and setting up the relaxed rules for an
interface that routes traffic to this one deficient remote endpoint.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure