Respect system wide minimum TLS version #709
Comments
|
And Debian (checked on Debian Bullseye (11)) has: openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2 |
This was referenced Jan 5, 2024
|
PR #710 seems reasonable to me. |
wbclark
added a commit
to wbclark/katello
that referenced
this issue
Mar 11, 2024
This was originally added to allow downgrading the CDN connection SSL version for compatibility with much older proxy servers. That should be less of a concern now. We do still set a value of TLS v1.2 for the min_version, but only because ruby/openssl#709 prevents using the system-wide crypto policy for now. In the future, that can be removed as well, restoring control to the user at the OS level.
wbclark
added a commit
to Katello/katello
that referenced
this issue
Mar 13, 2024
This was originally added to allow downgrading the CDN connection SSL version for compatibility with much older proxy servers. That should be less of a concern now. We do still set a value of TLS v1.2 for the min_version, but only because ruby/openssl#709 prevents using the system-wide crypto policy for now. In the future, that can be removed as well, restoring control to the user at the OS level.
qcjames53
pushed a commit
to qcjames53/katello
that referenced
this issue
Mar 19, 2024
This was originally added to allow downgrading the CDN connection SSL version for compatibility with much older proxy servers. That should be less of a concern now. We do still set a value of TLS v1.2 for the min_version, but only because ruby/openssl#709 prevents using the system-wide crypto policy for now. In the future, that can be removed as well, restoring control to the user at the OS level. (cherry picked from commit 78fcba9)
qcjames53
added a commit
to Katello/katello
that referenced
this issue
Mar 19, 2024
* Refs #37148 - Remove removed_widgets override (#10927) (cherry picked from commit 40a70ce) * Fixes #35215 - Handle cloned hostgroups in hosts_and_hostgroups_helper (#10894) (cherry picked from commit e3d46c6) * Fixes #36979 - Remove cdn_ssl_version setting This was originally added to allow downgrading the CDN connection SSL version for compatibility with much older proxy servers. That should be less of a concern now. We do still set a value of TLS v1.2 for the min_version, but only because ruby/openssl#709 prevents using the system-wide crypto policy for now. In the future, that can be removed as well, restoring control to the user at the OS level. (cherry picked from commit 78fcba9) * Fixes #37277 - Fix ACS randomly failing VCR tests (#10941) (cherry picked from commit 6d93801) * Fixes #37240 - Fix CCV duplicate repo warning (#10928) (cherry picked from commit 02fc313) --------- Co-authored-by: Jeremy Lenz <jlenz@redhat.com> Co-authored-by: William Bradford Clark <wclark@redhat.com> Co-authored-by: Ian Ballou <ianballou67@gmail.com> Co-authored-by: Markus Bucher <bucher@atix.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It is possible to have a system wide crypto policy for OpenSSL, and Red Hat based distros (Fedora, RHEL & friends) do this out of the box. As far as I can see, the way this is done is in
/etc/pki/tls/openssl.cnf:Then in
/etc/crypto-policies/back-ends/opensslcnf.configthere is:Note how there's a TLS.MinProtocol. This is not respected by Ruby, and I think it's because of this bit:
openssl/lib/openssl/ssl.rb
Line 25 in 1fa9fc5
It doesn't appear to be possible to set this to
niland I don't see any constant that tells it to use the system default.When I comment the line out, it does respect the system wide default. This appears to be done for ciphers already.
The text was updated successfully, but these errors were encountered: