Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-77631

default to allow-rsa-pkcs1-encrypt = false in GnuTLS

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • rhel-10.0
    • gnutls
    • None
    • No
    • Moderate
    • rhel-security-crypto-spades
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Hide

      allow-rsa-pkcs1-encrypt defaults to disabled in gnutls itself when the configuration file is missing [automated test]

      Show
      allow-rsa-pkcs1-encrypt defaults to disabled in gnutls itself when the configuration file is missing [automated test]
    • None
    • None
    • None

      GnuTLS now offers an option to disable PKCS#1 v1.5 padding allow-rsa-pkcs1-encrypt = false,
      an effect we'd like to see in RHEL-10.
      In addition to toggling it in crypto-policies, gnutls itself should default to it disabled by default,
      say, in a scenario without a configuration file.

      Introduction: https://gitlab.com/gnutls/gnutls/-/merge_requests/1828
      Fix-up: https://gitlab.com/gnutls/gnutls/-/merge_requests/1830
      Commentary on the upstream testsuite readiness: https://gitlab.com/gnutls/gnutls/-/issues/1622
      Proposed gnutls merge request: https://gitlab.com/redhat/centos-stream/rpms/gnutls/-/merge_requests/98
      crypto-policies flip: https://issues.redhat.com/browse/RHEL-64746
      Note that the merge request above or an analogous fix is now a must for gnutls build to pass the tests after the crypto-policies flip.

              dueno@redhat.com Daiki Ueno
              asosedki@redhat.com Alexander Sosedkin
              Daiki Ueno Daiki Ueno
              Alexander Sosedkin Alexander Sosedkin
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: