Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Minor
Fix Version/s: rhel-10.0
Affects Version/s: rhel-8.10.z, rhel-9.6, rhel-10.0
Component/s: crypto-policies
Labels:
- Accepted
- CY25Q1

Fixed in Build:
crypto-policies-20250128-1.git22421d3.el10
Regression:
No
Severity:
Low
Epic Link:
CRYPTO-15258
sprint_count:
1

Pool Team:

rhel-sst-security-crypto
Sub-System Group:

ssg_security

Internal Target Milestone:
26
Story Points:
0.2
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
Crypto25Q1

Acceptance Criteria:

AC1) No opensslcnf policy we ship loses Ciphersuites except FIPS:OSPP
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/139952
Gating Tests:

Enabled
Test Coverage:

Automated

Release Note Type:
Bug Fix
Release Note Text:

Hide
Cause/Consequence: due to mapping Ciphersuites option of openssl to ciphers crypto-policies option alone, applying custom crypto-policies could leave certain TLS 1.3 Ciphersuites enabled even if their hashes/MACs were disabled
Fix: crypto-policies takes more algorithms into account when deciding whether to enable a ciphersuite
Result: users of custom crypto-policies might have openssl refusing to negotiate some of the previously enabled TLS 1.3 ciphersuites in better accordance to the system configuration

Show
Cause/Consequence: due to mapping Ciphersuites option of openssl to ciphers crypto-policies option alone, applying custom crypto-policies could leave certain TLS 1.3 Ciphersuites enabled even if their hashes/MACs were disabled Fix: crypto-policies takes more algorithms into account when deciding whether to enable a ciphersuite Result: users of custom crypto-policies might have openssl refusing to negotiate some of the previously enabled TLS 1.3 ciphersuites in better accordance to the system configuration
Release Note Status:
Proposed

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Currently, openssl TLS 1.3 specific Ciphersuites option values
are controlled by the ciphers crypto-policy option alone,
without taking into account that security of a ciphersuite relies on use multiple algorithms,
such as hash functions and MACs in addition to the ciphers,
and distrusting them should distrust the entire ciphersuite as well.

This ticket is a request to backport this functionality from Fedora
(https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/222).

The impact of the change on the existing policies should be next to nonexistent.
Out of the policies we ship,
FIPS:OSPP will have all Ciphersuites disabled due to OSPP subpolicy disabling TLS 1.3 altogether,
the rest should see no change.

links to

RHBA-2024:139952 crypto-policies bug fix and enhancement update

Assignee:: Alexander Sosedkin

Reporter:: Alexander Sosedkin

Developer:: Alexander Sosedkin

QA Contact:: Ondrej Moris

Doc Contact:: Mirek Jahoda

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2025/01/28 4:26 PM

Updated:: 2025/03/06 1:31 PM

Target end:: 2025/02/17

Next Planned Release Date:: 2025/05/13

Details

AC1) No opensslcnf policy we ship loses Ciphersuites except FIPS:OSPP

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates