Hi Rob, * Dne Pátek 18. březen 2016, 23:20:46 [CET] Rob Crittenden napsal: > Rob Crittenden wrote: > >Vitezslav Cizek wrote: > >>Hi Rob, > >> > >>* Dne Pátek 18. březen 2016, 15:44:34 [CET] Rob Crittenden napsal: > >>> > >>>>>Thanks for the patch! I created > >>>>>https://fedorahosted.org/mod_nss/ticket/25 > >>>>>to track this. > >>>> > >>>>Thanks, I updated the patch in there. > >>> > >>>Ok thanks, I'll take a look. > >> > >>The new patch incorporates suggestions from your first email. > >> > >>>>>Some comments: > >>>>> > >>>>>I think it would be best to completely drop get_ciphers and the > >>>>>lines that > >>>>>were calling it. > >>>>> > >>>>>There is a problem though. > >>>> > >>>>I sort of expected that this step may cause some problems, that's why > >>>>I left the code in, but commented it out. > >>>> > >>>>>In Fedora/RHEL/CentOS there is a movement towards a > >>>>>system-level SSL/TLS configuration. This leaves an unusable > >>>>>configuration of: > >>>>> > >>>>>NSSCipherSuite PROFILE=SYSTEM > >>>>>NSSProxyCipherSuite PROFILE=SYSTEM > >>>>> > >>>>>This is because NSS is almost, but not quite, there when it comes to > >>>>>system-level config and it is going to be configured differently. > >>>>> > >>>>>The OpenSSL policy file in Fedora is > >>>>>/etc/crypto-policies/back-ends/openssl.config. I don't know how > >>>>>safe it is > >>>>>to slurp that in and use it. On my box it is just a cipher string. > >>>>> > >>>>>So either the system config needs to be read and the values > >>>>>replaced or > >>>>>get_ciphers needs to be updated big time. I'd prefer the former. > >>>> > >>>>If centralized cipher settings are in place, then the migrate.pl script > >>>>should definitely be aware of them. > >>>>This is however Fedora/RHEL specific. > >>>>I think, we can keep the cipher string on other distributions. > >>> > >>>Yup. I think we can just look for PROFILE=SYSTEM and slurp in > >>>/etc/crypto-policies/back-ends/openssl.config. I can add this on > >>>after your > >>>patch if you'd prefer. > >> > >>I wouldn't, feel free to modify the patch. > >> > > > >Ok. I need to remove/comment out SSLRandomSeed connect builtin too. > > > >I'm going to try to make some of the wording less platform-specific. > >I've been guilty of this too :-( I might convert this into a generated > >file so configure can set this up properly. What do you think? The > >alternative is distro-specific patches that change the paths. Given the > >infrequency that this is updated it might be preferable. > > Here is what I came up with. > > I dropped a bit of info from the summary after conversion because it was > distro specific and I didn't really see the need. Why would a VirtualHost be > ok in mod_ssl and not mod_nss?
It originated from our old patch, so, yes, it was distro specific. > I also dropped get_ciphers(). It will be in git if there is ever a need to > revive it. Ok, we have no need for it now anyway. > This should apply on top of your latest patch. Let me know what you think. The patch is good for me. -- Vita Cizek
signature.asc
Description: Digital signature
_______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
