[Ach] Fedora will implement "crypto policies"
Nikos Mavrogiannopoulos
nmav at redhat.com
Thu Mar 20 08:16:01 CET 2014
Hello Aaron,
I have seen your project before, and this is a very nice first step.
However, despite that is the current best practice, hardening each and
every service is something risky; some services may be forgotten or some
different copy/paste settings may be present in some of them, or some
clients that run periodically and use SSL via a dependency may not even
be known to the administrator. That is why we will attempt to use
system-wide crypto settings shared by all available services.
One thing that I realized after implementing that is that setting the
ciphersuites isn't sufficient to ensure a global policy. For example
connecting to a server using the TLS ciphersuite DHE-RSA with AES will
fulfill that policy, but that does not take into account the actual
group used for DHE (and there exist misconfigured servers that send
512-bit groups).
On this and some other issues (e.g., restricting available curves, or
setting a policy for acceptable parameters in certificates) we work on.
Currently we modify gnutls and nss, and upstream openssl said is already
working on it [0].
We are certainly interested for collaboration, and you are more than
welcome to contribute to that effort (let me know in that case). It is
not really fedora/redhat-specific as we work with the upstream projects.
The Fedora-specific part are the scripts that convert the system policy
to individual library policies.
regards,
Nikos
[0]. http://marc.info/?l=openssl-dev&m=139474768815904&w=2
On Wed, 2014-03-19 at 23:23 +0100, Aaron Zauner wrote:
> We should tell them about our project.
>
> in CC: nmav at redhat.com
>
> Hi Nikos,
>
> I'm aware that you're busy with the TLS-WG and GnuTLS already, but you
> may want to take a look at the current draft of our paper on the topic
> https://bettercrypto.org/static/applied-crypto-hardening.pdf - Work has
> been ongoing since Oct. 2013 with a lot of useful feedback from the
> community, security people and operations guys.
>
> Is Fedora/Red Hat willing to contribute or collaborate on that effort? I
> think we do have some overlapping issues that both are trying to get
> fixed ASAP.
>
> We've already made contact with some of the Debian guys and we'd be
> happy to hear back from you as well!
>
>
> Aaron
>
> christian mock wrote:
> > Seems they will implement a system-wide cipher suite selection:
> >
> > https://fedoraproject.org/wiki/Changes/CryptoPolicy
> >
> > Sounds like a good idea...
> >
> > cm.
> >
>
More information about the Ach
mailing list