[Ach] Fedora will implement "crypto policies"

Nikos Mavrogiannopoulos nmav at redhat.com
Thu Mar 20 08:16:01 CET 2014

Hello Aaron,
 I have seen your project before, and this is a very nice first step.
However, despite that is the current best practice, hardening each and
every service is something risky; some services may be forgotten or some
different copy/paste settings may be present in some of them, or some
clients that run periodically and use SSL via a dependency may not even
be known to the administrator. That is why we will attempt to use
system-wide crypto settings shared by all available services.

One thing that I realized after implementing that is that setting the
ciphersuites isn't sufficient to ensure a global policy. For example
connecting to a server using the TLS ciphersuite DHE-RSA with AES will
fulfill that policy, but that does not take into account the actual
group used for DHE (and there exist misconfigured servers that send
512-bit groups).

On this and some other issues (e.g., restricting available curves, or
setting a policy for acceptable parameters in certificates) we work on.
Currently we modify gnutls and nss, and upstream openssl said is already
working on it [0].

We are certainly interested for collaboration, and you are more than
welcome to contribute to that effort (let me know in that case). It is
not really fedora/redhat-specific as we work with the upstream projects.
The Fedora-specific part are the scripts that convert the system policy
to individual library policies.


[0]. http://marc.info/?l=openssl-dev&m=139474768815904&w=2

On Wed, 2014-03-19 at 23:23 +0100, Aaron Zauner wrote:
> We should tell them about our project.
> in CC: nmav at redhat.com
> Hi Nikos,
> I'm aware that you're busy with the TLS-WG and GnuTLS already, but you
> may want to take a look at the current draft of our paper on the topic
> https://bettercrypto.org/static/applied-crypto-hardening.pdf - Work has
> been ongoing since Oct. 2013 with a lot of useful feedback from the
> community, security people and operations guys.
> Is Fedora/Red Hat willing to contribute or collaborate on that effort? I
> think we do have some overlapping issues that both are trying to get
> fixed ASAP.
> We've already made contact with some of the Debian guys and we'd be
> happy to hear back from you as well!
> Aaron
> christian mock wrote:
> > Seems they will implement a system-wide cipher suite selection:
> > 
> > https://fedoraproject.org/wiki/Changes/CryptoPolicy
> > 
> > Sounds like a good idea...
> > 
> > cm.
> > 

More information about the Ach mailing list