Re: SSL_DEFAULT_CIPHER_LIST vs PROFILE=DEFAULT vs no set_cipher_list()
On Fri, Dec 6, 2019 at 9:04 am, Igor Gnatenko wrote: So my question would be: Should I patch rust-openssl to use PROFILE=DEFAULT or I should just remove that call entirely? It is not very clear to me from the guidelines. That wouldn't be correct. It needs to use PROFILE=SYSTEM (Fedora system policy), not PROFILE=DEFAULT (upstream default policy). Two options: * You can simply patch out the call to ctx.set_cipher_list() (potentially-upstreamable solution) * You can change the whole string from "DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK" to "SYSTEM" (probably slightly clearer for a downstream patch) Also since I want to get this upstream, which option is more portable? I suspect the only portable option would be to delete the call. I suspect you cannot use SYSTEM policy except on Fedora/RHEL; it probably doesn't exist elsewhere and won't work. I haven't checked to be certain for OpenSSL, but that's definitely the case for GnuTLS and it's likely the same. Accordingly, the change is not suitable for upstream unless upstream is OK with dropping the manual cipher list, so you'll probably need to keep this downstream indefinitely. I think it would be nice for Fedora crypto policy to be adjusted so as to be suitable for upstream applications, so we don't have to patch applications forever to comply, but this was a deliberate design choice. Michael ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
SSL_DEFAULT_CIPHER_LIST vs PROFILE=DEFAULT vs no set_cipher_list()
https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/#_cc_applications says that I need to patch application (if it does not have config file) to use "PROFILE=SYSTEM" as the argument to the cipher list. However, when I was looking into the library which uses this function (rust-openssl), I found following piece of code: /// Creates a new builder for TLS connections. /// /// The default configuration is subject to change, and is currently derived from Python. pub fn builder(method: SslMethod) -> Result { let mut ctx = ctx(method)?; ctx.set_default_verify_paths()?; ctx.set_cipher_list( "DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK", )?; setup_verify( ctx); Ok(SslConnectorBuilder(ctx)) } https://github.com/sfackler/rust-openssl/blob/9ba802ad437447ac71f99d89653b35072bf5ccd9/openssl/src/ssl/connector.rs#L62-L74 Then I looked at CPython and found that it does this: /* Ignored in SSLContext constructor, only used to as _ssl.DEFAULT_CIPHER_STRING */ #define PY_SSL_DEFAULT_CIPHER_STRING SSL_DEFAULT_CIPHER_LIST And then it just ignores call to SSL_CTX_set_cipher_list(). So my question would be: Should I patch rust-openssl to use PROFILE=DEFAULT or I should just remove that call entirely? It is not very clear to me from the guidelines. Also since I want to get this upstream, which option is more portable? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org