Vitezslav Cizek wrote:
Hi Rob,
* Dne Pátek 18. březen 2016, 15:44:34 [CET] Rob Crittenden napsal:
Thanks for the patch! I created https://fedorahosted.org/mod_nss/ticket/25
to track this.
Thanks, I updated the patch in there.
Ok thanks, I'll take a look.
The new patch incorporates suggestions from your first email.
Some comments:
I think it would be best to completely drop get_ciphers and the lines that
were calling it.
There is a problem though.
I sort of expected that this step may cause some problems, that's why
I left the code in, but commented it out.
In Fedora/RHEL/CentOS there is a movement towards a
system-level SSL/TLS configuration. This leaves an unusable configuration of:
NSSCipherSuite PROFILE=SYSTEM
NSSProxyCipherSuite PROFILE=SYSTEM
This is because NSS is almost, but not quite, there when it comes to
system-level config and it is going to be configured differently.
The OpenSSL policy file in Fedora is
/etc/crypto-policies/back-ends/openssl.config. I don't know how safe it is
to slurp that in and use it. On my box it is just a cipher string.
So either the system config needs to be read and the values replaced or
get_ciphers needs to be updated big time. I'd prefer the former.
If centralized cipher settings are in place, then the migrate.pl script
should definitely be aware of them.
This is however Fedora/RHEL specific.
I think, we can keep the cipher string on other distributions.
Yup. I think we can just look for PROFILE=SYSTEM and slurp in
/etc/crypto-policies/back-ends/openssl.config. I can add this on after your
patch if you'd prefer.
I wouldn't, feel free to modify the patch.
Ok. I need to remove/comment out SSLRandomSeed connect builtin too.
I'm going to try to make some of the wording less platform-specific.
I've been guilty of this too :-( I might convert this into a generated
file so configure can set this up properly. What do you think? The
alternative is distro-specific patches that change the paths. Given the
infrequency that this is updated it might be preferable.
rob
_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list
