* Dne Čtvrtek 17. březen 2016, 16:41:57 [CET] Rob Crittenden napsal: > Vitezslav Cizek wrote: > >Hi, > >I can't log in to fedorahosted for some reason, so I can't create a > >ticket there. > > > >I'm attaching a patch for the migrate.pl script. > > > >The changes are: > >* Use a whitelist instead of a blacklist for migrated directives, > >because more of them are specific to mod_ssl than common > >* Don't translate SSLCipherSuite, we support OpenSSL strings now > >* Add input (-r) and output options (-w) for the configuration files, > >instead of using ssl.conf and nss.conf > >* Commented lines are now recognized even if they begin with whitespace > >* The script keeps nestable apache configuration block directives > >* Print more verbose disclaimer > >* Set NSSProtocol unconditionally > > Thanks for the patch! I created https://fedorahosted.org/mod_nss/ticket/25 > to track this.
Thanks, I updated the patch in there. > Some comments: > > I think it would be best to completely drop get_ciphers and the lines that > were calling it. > > There is a problem though. I sort of expected that this step may cause some problems, that's why I left the code in, but commented it out. > In Fedora/RHEL/CentOS there is a movement towards a > system-level SSL/TLS configuration. This leaves an unusable configuration of: > > NSSCipherSuite PROFILE=SYSTEM > NSSProxyCipherSuite PROFILE=SYSTEM > > This is because NSS is almost, but not quite, there when it comes to > system-level config and it is going to be configured differently. > > The OpenSSL policy file in Fedora is > /etc/crypto-policies/back-ends/openssl.config. I don't know how safe it is > to slurp that in and use it. On my box it is just a cipher string. > > So either the system config needs to be read and the values replaced or > get_ciphers needs to be updated big time. I'd prefer the former. If centralized cipher settings are in place, then the migrate.pl script should definitely be aware of them. This is however Fedora/RHEL specific. I think, we can keep the cipher string on other distributions. > Need to force a value for NSSProxyProtocol like NSSProtocol. > > I think SSLFIPS can be removed from the whitelist. Done. > The header written to the mod_nss output file needs to be changed because > the comments are no longer omitted. Yes, that was an oversight. > rob -- Vita Cizek
signature.asc
Description: Digital signature
_______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
