Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package crypto-policies for openSUSE:Factory
checked in at 2023-07-27 16:50:31
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/crypto-policies (Old)
and /work/SRC/openSUSE:Factory/.crypto-policies.new.32662 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "crypto-policies"
Thu Jul 27 16:50:31 2023 rev:4 rq:1099073 version:20230614.5f3458e
Changes:
--------
--- /work/SRC/openSUSE:Factory/crypto-policies/crypto-policies.changes
2023-05-28 19:21:47.560587205 +0200
+++
/work/SRC/openSUSE:Factory/.crypto-policies.new.32662/crypto-policies.changes
2023-07-27 16:50:54.573848527 +0200
@@ -1,0 +2,15 @@
+Fri Jul 14 14:59:06 UTC 2023 - Marcus Meissner <[email protected]>
+
+- BSI.pol: Added a new BSI policy for BSI TR 02102* (jsc#PED-4933)
+ derived from NEXT.pol
+
+-------------------------------------------------------------------
+Thu Jul 13 06:36:20 UTC 2023 - Pedro Monreal <[email protected]>
+
+- Update to version 20230614.5f3458e:
+ * policies: impose old OpenSSL groups order for all back-ends
+ * Rebase patches:
+ - crypto-policies-revert-rh-allow-sha1-signatures.patch
+ - crypto-policies-supported.patch
+
+-------------------------------------------------------------------
Old:
----
fedora-crypto-policies-20230420.3d08ae7.tar.gz
New:
----
BSI.pol
fedora-crypto-policies-20230614.5f3458e.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ crypto-policies.spec ++++++
--- /var/tmp/diff_new_pack.IouMal/_old 2023-07-27 16:50:55.641854561 +0200
+++ /var/tmp/diff_new_pack.IouMal/_new 2023-07-27 16:50:55.649854607 +0200
@@ -22,7 +22,7 @@
%bcond_with manbuild
%global _python_bytecompile_extra 0
Name: crypto-policies
-Version: 20230420.3d08ae7
+Version: 20230614.5f3458e
Release: 0
Summary: System-wide crypto policies
License: LGPL-2.1-or-later
@@ -35,6 +35,8 @@
Source4: fips-mode-setup.8.gz
Source5: fips-finish-install.8.gz
Source6: crypto-policies-rpmlintrc
+# BSI TR-02102 encoded for jsc#PED-4933 (customer request to have BSI TR-02102
policies)
+Source7: BSI.pol
%if %{without manbuild}
#PATCH-FIX-OPENSUSE Manpages build cycles and dependencies
# To reduce the build dependencies in Ring0, we have to compile the
@@ -58,7 +60,7 @@
BuildRequires: asciidoc
%endif
%if %{with testsuite}
-# The following buildrequires are needed for the testsuite
+# The following packages are needed for the testsuite
BuildRequires: bind
BuildRequires: gnutls >= 3.6.0
BuildRequires: java-devel
@@ -92,6 +94,7 @@
%package scripts
Summary: Tool to switch between crypto policies
Requires: %{name} = %{version}-%{release}
+Recommends: grubby
%description scripts
This package provides a tool update-crypto-policies, which applies
@@ -99,6 +102,9 @@
either the pre-built policies from the base package or custom policies
defined in simple policy definition files.
+The package also provides a tool fips-mode-setup, which can be used
+to enable or disable the system FIPS mode.
+
%prep
%autosetup -p1 -n fedora-%{name}-%{version}
@@ -111,6 +117,9 @@
%build
export OPENSSL_CONF=''
+sed -i "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \
+ python/policygenerators/openssh.py
+grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py
%make_build
%install
@@ -124,6 +133,10 @@
mkdir -p -m 755 %{buildroot}%{_bindir}
make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies
MANDIR=%{_mandir} %{?_smp_mflags} install
+
+# BSI.pol
+install -c -m 644 %{SOURCE7}
%{buildroot}/%{_datarootdir}/crypto-policies/policies/
+
install -p -m 644 default-config
%{buildroot}%{_sysconfdir}/crypto-policies/config
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
@@ -168,7 +181,7 @@
%check
%if %{with testsuite}
export OPENSSL_CONF=''
-%make_build test || :
+%make_build test test-install test-fips-setup || :
%endif
%post -p <lua>
++++++ BSI.pol ++++++
# This policy follows the BSI TR-02102-2 "Kryptographische Verfahren:
Verwendung von Transport Layer Security (TLS)"
#
Generic:https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.html
# TLS:
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.html
# IPSEC:
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-3.html
# Note that currently crypto-policies do not adjust ipsec
configs, but only openssl or nss.
# SSH:
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-4.html
# Note that the SUSE openssh is not yet reading crypto policies.
# Author: Marcus Meissner <[email protected]> 2023
#
# Based on NEXT.pol
# BSI TR 02102 / revision 2023.1, Table 5.1 "Empfohlene Hashfunktionen."
# HMAC-SHA1 is not valid anymore
# UMAC is for SSH... check TODO
mac = AEAD HMAC-SHA2-256 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
# BSI TR 02102-2 / revision 2023.1, Table 4 "Empfohlene Diffie-Hellman-Gruppen
für TLS 1.2"
# not listed in BSI TR, but could be included: FFDHE-6144 FFDHE-8192
group = SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072 FFDHE-4096
BRAINPOOL-P512R1 BRAINPOOL-P384R1 BRAINPOOL-P256R1
# BSI TR 02102 / revision 2023.1, Table 5.1 "Empfohlene Hashfunktionen."
hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512
hash@DNSSec = SHA1+ # SHA1 is still prevalent in DNSSec
# BSI TR 02102-2 / revision 2023.1, Table 5 "Empfohlene Signaturverfahren für
TLS 1.2" and
# Table 6 "Empfohlene Hashfunktionen für Signaturverfahren in TLS 1.2"
# BSI TR 02102 / revision 2023.1 Section 5 "Hashfunktionen"
# 224 bit SHA parts not recommended by BSI: ECDSA-SHA2-224
RSA-PSS-SHA2-224 RSA-SHA2-224 ECDSA-SHA3-224 RSA-PSS-SHA3-224 RSA-SHA3-224
sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA2-256-FIDO \
ECDSA-SHA3-384 ECDSA-SHA2-384 \
ECDSA-SHA3-512 ECDSA-SHA2-512 \
EDDSA-ED25519 EDDSA-ED25519-FIDO EDDSA-ED448 \
RSA-PSS-SHA3-256 RSA-PSS-SHA2-256 \
RSA-PSS-SHA3-384 RSA-PSS-SHA2-384 \
RSA-PSS-SHA3-512 RSA-PSS-SHA2-512 \
RSA-PSS-RSAE-SHA3-256 RSA-PSS-RSAE-SHA2-256 \
RSA-PSS-RSAE-SHA3-384 RSA-PSS-RSAE-SHA2-384 \
RSA-PSS-RSAE-SHA3-512 RSA-PSS-RSAE-SHA2-512 \
RSA-SHA3-256 RSA-SHA2-256 \
RSA-SHA3-384 RSA-SHA2-384 \
RSA-SHA3-512 RSA-SHA2-512
sign@DNSSec = RSA-SHA1+ ECDSA-SHA1+ # SHA1 is still prevalent in DNSSec
# BSI TR 02102 / revision 2023.1
# Not listed in BSI TR: CHACHA20-POLY1305 CAMELLIA-256-GCM CAMELLIA-128-CBC
CAMELLIA-256-CBC CAMELLIA-128-GCM
cipher = AES-256-GCM AES-256-CCM AES-256-CTR AES-256-CBC AES-128-GCM
AES-128-CCM AES-128-CTR AES-128-CBC
# BSI TR 02102-2 / revision 2023.1, Table 1 and Table 2
# CHACHA20-POLY1305 not listed in TR
cipher@TLS = AES-256-GCM AES-256-CCM AES-256-CBC AES-128-GCM AES-128-CCM
AES-128-CBC
cipher@sequoia = AES-256-CFB AES-128-CFB CAMELLIA-256-CFB CAMELLIA-128-CFB
cipher@RPM = AES-256-CFB AES-128-CFB CAMELLIA-256-CFB CAMELLIA-128-CFB
# CBC ciphers in SSH are considered vulnerable to plaintext recovery attacks
# and disabled in client OpenSSH 7.6 (2017) and server OpenSSH 6.7 (2014).
cipher@SSH = -*-CBC
# BSI TR 02102-2 / revision 2023.1, Table 1 and Table 2
# Note this goes to all ciphers. DHE-GSS is not valid for TLS, but used in SSH.
# TLS: ECDHE DHE DHE-RSA PSK DHE-PSK ECDHE-PSK RSA-PSK are ok, GSS is not
used in TLS, will not be used for TLS
key_exchange = ECDHE DHE DHE-RSA PSK DHE-PSK ECDHE-PSK RSA-PSK ECDHE-GSS DHE-GSS
# BSI TR 02102-2 / revision 2023.1, Section 3.2 "SSL/TLS Versionen"
protocol@TLS = TLS1.3 TLS1.2 DTLS1.2
protocol@IKE = IKEv2
# Parameter sizes
min_dh_size = 3072
min_dsa_size = 3072
# BSI TR 02102-2 / revision 2023.1: 2k still allowed until end of 2023.
min_rsa_size = 2048
# GnuTLS only for now
sha1_in_certs = 0
arbitrary_dh_groups = 1
ssh_certs = 1
ssh_etm = 1
# https://pagure.io/fesco/issue/2960
# "RPM must accept SHA-1 hashes and DSA keys for Fedora 38"
sign@RPM = DSA-SHA1+
hash@RPM = SHA1+
min_dsa_size@RPM = 1024
++++++ README.SUSE ++++++
--- /var/tmp/diff_new_pack.IouMal/_old 2023-07-27 16:50:55.705854923 +0200
+++ /var/tmp/diff_new_pack.IouMal/_new 2023-07-27 16:50:55.709854946 +0200
@@ -1,7 +1,7 @@
Currently, the supported back-end policies are:
* OpenSSL library
* GnuTLS library
- * OpenJDK (only for java-1_8_0-openjdk and java-11-openjdk)
+ * OpenJDK
The rest of the modules ignore the policy settings for the time being.
++++++ _service ++++++
--- /var/tmp/diff_new_pack.IouMal/_old 2023-07-27 16:50:55.729855059 +0200
+++ /var/tmp/diff_new_pack.IouMal/_new 2023-07-27 16:50:55.737855104 +0200
@@ -4,7 +4,7 @@
<param name="scm">git</param>
<param name="versionformat">%cd.%h</param>
<param name="changesgenerate">enable</param>
- <param name="revision">3d08ae70557e5a86686e5b24e443731bfdf232bb</param>
+ <param name="revision">5f3458e619628288883f22695f3311f1ccd6a39f</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">*.tar</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.IouMal/_old 2023-07-27 16:50:55.757855217 +0200
+++ /var/tmp/diff_new_pack.IouMal/_new 2023-07-27 16:50:55.761855240 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
- <param
name="changesrevision">3d08ae70557e5a86686e5b24e443731bfdf232bb</param></service></servicedata>
+ <param
name="changesrevision">5f3458e619628288883f22695f3311f1ccd6a39f</param></service></servicedata>
(No newline at EOF)
++++++ crypto-policies-revert-rh-allow-sha1-signatures.patch ++++++
--- /var/tmp/diff_new_pack.IouMal/_old 2023-07-27 16:50:55.781855353 +0200
+++ /var/tmp/diff_new_pack.IouMal/_new 2023-07-27 16:50:55.785855375 +0200
@@ -4,10 +4,10 @@
Subject: openssl: disable SHA-1 signatures in FUTURE/NO-SHA1
-Index: fedora-crypto-policies-20230420.3d08ae7/policies/FUTURE.pol
+Index: fedora-crypto-policies-20230614.5f3458e/policies/FUTURE.pol
===================================================================
---- fedora-crypto-policies-20230420.3d08ae7.orig/policies/FUTURE.pol
-+++ fedora-crypto-policies-20230420.3d08ae7/policies/FUTURE.pol
+--- fedora-crypto-policies-20230614.5f3458e.orig/policies/FUTURE.pol
++++ fedora-crypto-policies-20230614.5f3458e/policies/FUTURE.pol
@@ -65,7 +65,3 @@ sha1_in_certs = 0
arbitrary_dh_groups = 1
ssh_certs = 1
@@ -16,10 +16,10 @@
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
-__openssl_block_sha1_signatures = 1
-Index: fedora-crypto-policies-20230420.3d08ae7/policies/modules/NO-SHA1.pmod
+Index: fedora-crypto-policies-20230614.5f3458e/policies/modules/NO-SHA1.pmod
===================================================================
---- fedora-crypto-policies-20230420.3d08ae7.orig/policies/modules/NO-SHA1.pmod
-+++ fedora-crypto-policies-20230420.3d08ae7/policies/modules/NO-SHA1.pmod
+--- fedora-crypto-policies-20230614.5f3458e.orig/policies/modules/NO-SHA1.pmod
++++ fedora-crypto-policies-20230614.5f3458e/policies/modules/NO-SHA1.pmod
@@ -3,7 +3,3 @@
hash = -SHA1
sign = -*-SHA1
@@ -28,10 +28,10 @@
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
-__openssl_block_sha1_signatures = 1
-Index:
fedora-crypto-policies-20230420.3d08ae7/python/cryptopolicies/cryptopolicies.py
+Index:
fedora-crypto-policies-20230614.5f3458e/python/cryptopolicies/cryptopolicies.py
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/python/cryptopolicies/cryptopolicies.py
-+++
fedora-crypto-policies-20230420.3d08ae7/python/cryptopolicies/cryptopolicies.py
+---
fedora-crypto-policies-20230614.5f3458e.orig/python/cryptopolicies/cryptopolicies.py
++++
fedora-crypto-policies-20230614.5f3458e/python/cryptopolicies/cryptopolicies.py
@@ -19,7 +19,6 @@ from . import validation # moved out of
INT_DEFAULTS = {k: 0 for k in (
'arbitrary_dh_groups',
@@ -40,10 +40,10 @@
'sha1_in_certs',
'ssh_certs', 'ssh_etm',
)}
-Index:
fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/openssl.py
+Index:
fedora-crypto-policies-20230614.5f3458e/python/policygenerators/openssl.py
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/python/policygenerators/openssl.py
-+++ fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/openssl.py
+---
fedora-crypto-policies-20230614.5f3458e.orig/python/policygenerators/openssl.py
++++ fedora-crypto-policies-20230614.5f3458e/python/policygenerators/openssl.py
@@ -7,14 +7,6 @@ from subprocess import check_output, Cal
from .configgenerator import ConfigGenerator
@@ -72,10 +72,10 @@
return s
@classmethod
-Index:
fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FUTURE.pol
+Index:
fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FUTURE.pol
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/tests/alternative-policies/FUTURE.pol
-+++
fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FUTURE.pol
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/alternative-policies/FUTURE.pol
++++
fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FUTURE.pol
@@ -71,7 +71,3 @@ sha1_in_dnssec = 0
arbitrary_dh_groups = 1
ssh_certs = 1
@@ -84,52 +84,52 @@
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
-__openssl_block_sha1_signatures = 1
-Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-opensslcnf.txt
+Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT-opensslcnf.txt
-+++
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-opensslcnf.txt
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT-opensslcnf.txt
++++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
- Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+ Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
-+++
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
++++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
- Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+ Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
-+++
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
++++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
- Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+ Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/EMPTY-opensslcnf.txt
+Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/EMPTY-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/EMPTY-opensslcnf.txt
-+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/EMPTY-opensslcnf.txt
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/EMPTY-opensslcnf.txt
++++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/EMPTY-opensslcnf.txt
@@ -2,9 +2,3 @@ CipherString = @SECLEVEL=0:-kPSK:-kDHEPS
Ciphersuites =
SignatureAlgorithms =
@@ -140,66 +140,52 @@
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-opensslcnf.txt
+Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS-opensslcnf.txt
-+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-opensslcnf.txt
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS-opensslcnf.txt
++++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
- Groups =
secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+ Groups =
secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
-+++
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
++++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
- Groups = secp256r1:secp384r1:secp521r1
+ Groups = secp256r1:secp521r1:secp384r1
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-opensslcnf.txt
+Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt
-+++
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-opensslcnf.txt
-@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
- DTLS.MaxProtocol = DTLSv1.2
- SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
- Groups =
secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
--
--[openssl_init]
--alg_section = evp_properties
--
--[evp_properties]
--rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-opensslcnf.txt
-===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FUTURE-opensslcnf.txt
-+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-opensslcnf.txt
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FUTURE-opensslcnf.txt
++++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
- Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+ Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = no
-Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/GOST-ONLY-opensslcnf.txt
+Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/GOST-ONLY-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/GOST-ONLY-opensslcnf.txt
-+++
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/GOST-ONLY-opensslcnf.txt
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/GOST-ONLY-opensslcnf.txt
++++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/GOST-ONLY-opensslcnf.txt
@@ -4,9 +4,3 @@ TLS.MinProtocol = TLSv1
TLS.MaxProtocol = TLSv1.3
SignatureAlgorithms =
@@ -210,38 +196,38 @@
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-opensslcnf.txt
+Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/LEGACY-opensslcnf.txt
-+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-opensslcnf.txt
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/LEGACY-opensslcnf.txt
++++ fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
- Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+ Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
-+++
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
++++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
- Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+ Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
-Index: fedora-crypto-policies-20230420.3d08ae7/tests/unit/test_cryptopolicy.py
+Index: fedora-crypto-policies-20230614.5f3458e/tests/unit/test_cryptopolicy.py
===================================================================
----
fedora-crypto-policies-20230420.3d08ae7.orig/tests/unit/test_cryptopolicy.py
-+++ fedora-crypto-policies-20230420.3d08ae7/tests/unit/test_cryptopolicy.py
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/unit/test_cryptopolicy.py
++++ fedora-crypto-policies-20230614.5f3458e/tests/unit/test_cryptopolicy.py
@@ -260,7 +260,6 @@ def test_cryptopolicy_to_string_empty(tm
min_dh_size = 0
min_dsa_size = 0
@@ -258,10 +244,10 @@
sha1_in_certs = 0
ssh_certs = 0
ssh_etm = 0
-Index: fedora-crypto-policies-20230420.3d08ae7/policies/TEST-FEDORA39.pol
+Index: fedora-crypto-policies-20230614.5f3458e/policies/TEST-FEDORA39.pol
===================================================================
---- fedora-crypto-policies-20230420.3d08ae7.orig/policies/TEST-FEDORA39.pol
-+++ fedora-crypto-policies-20230420.3d08ae7/policies/TEST-FEDORA39.pol
+--- fedora-crypto-policies-20230614.5f3458e.orig/policies/TEST-FEDORA39.pol
++++ fedora-crypto-policies-20230614.5f3458e/policies/TEST-FEDORA39.pol
@@ -67,7 +67,3 @@ sha1_in_certs = 0
arbitrary_dh_groups = 1
ssh_certs = 1
@@ -270,4 +256,46 @@
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
-# SHA-1 signatures will blocked in OpenSSL
-__openssl_block_sha1_signatures = 1
+Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-opensslcnf.txt
+===================================================================
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FEDORA38-opensslcnf.txt
++++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-opensslcnf.txt
+===================================================================
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/TEST-FEDORA39-opensslcnf.txt
++++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = no
+Index:
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-opensslcnf.txt
+===================================================================
+---
fedora-crypto-policies-20230614.5f3458e.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt
++++
fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
+ Groups =
secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
++++++ crypto-policies-supported.patch ++++++
--- /var/tmp/diff_new_pack.IouMal/_old 2023-07-27 16:50:55.813855533 +0200
+++ /var/tmp/diff_new_pack.IouMal/_new 2023-07-27 16:50:55.813855533 +0200
@@ -16,7 +16,7 @@
+* NSS library (NSS, SSL, TLS) (Not supported)
-* OpenJDK (java-tls, SSL, TLS)
-+* OpenJDK (java-tls, SSL, TLS) (Supported only for java-1_8_0-openjdk and
java-11-openjdk)
++* OpenJDK (java-tls, SSL, TLS) (Supported)
-* Libkrb5 (krb5, kerberos)
+* Libkrb5 (krb5, kerberos) (Not supported)
++++++ crypto-policies.7.gz ++++++
--- /var/tmp/diff_new_pack.IouMal/_old 2023-07-27 16:50:55.833855646 +0200
+++ /var/tmp/diff_new_pack.IouMal/_new 2023-07-27 16:50:55.841855692 +0200
@@ -2,12 +2,12 @@
.\" Title: crypto-policies
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 05/25/2023
+.\" Date: 07/13/2023
.\" Manual: \ \&
.\" Source: crypto-policies
.\" Language: English
.\"
-.TH "CRYPTO\-POLICIES" "7" "05/25/2023" "crypto\-policies" "\ \&"
+.TH "CRYPTO\-POLICIES" "7" "07/13/2023" "crypto\-policies" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -1460,6 +1460,19 @@
and
\fBgroup\fR\&.
.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBNSS\fR: order of
+\fBgroup\fR
+values is ignored and built\-in order is used instead\&.
+.RE
.SH "HISTORY"
.sp
The \fBECDHE\-GSS\fR and \fBDHE\-GSS\fR algorithms are newly introduced and
must be specified in the base policy for the SSH GSSAPI key exchange methods to
be enabled\&. Previously the legacy SSH GSSAPI key exchange methods were
automatically enabled when the \fBSHA1\fR hash and \fBDH\fR parameters of at
least 2048 bits were enabled\&.
++++++ fedora-crypto-policies-20230420.3d08ae7.tar.gz ->
fedora-crypto-policies-20230614.5f3458e.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/crypto-policies.7.txt
new/fedora-crypto-policies-20230614.5f3458e/crypto-policies.7.txt
--- old/fedora-crypto-policies-20230420.3d08ae7/crypto-policies.7.txt
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/crypto-policies.7.txt
2023-06-14 15:28:09.000000000 +0200
@@ -366,6 +366,8 @@
*asymmetric_algorithms* is not controlled directly, but deduced from
*sign* and *group*.
+* *NSS*: order of *group* values is ignored and built-in order is used instead.
+
HISTORY
-------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/policies/DEFAULT.pol
new/fedora-crypto-policies-20230614.5f3458e/policies/DEFAULT.pol
--- old/fedora-crypto-policies-20230420.3d08ae7/policies/DEFAULT.pol
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/policies/DEFAULT.pol
2023-06-14 15:28:09.000000000 +0200
@@ -14,8 +14,8 @@
mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
-group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \
- FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
+group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \
+ FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA3-224
\
SHAKE-256
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/policies/FEDORA38.pol
new/fedora-crypto-policies-20230614.5f3458e/policies/FEDORA38.pol
--- old/fedora-crypto-policies-20230420.3d08ae7/policies/FEDORA38.pol
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/policies/FEDORA38.pol
2023-06-14 15:28:09.000000000 +0200
@@ -14,8 +14,8 @@
mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
-group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \
- FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
+group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \
+ FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA3-224
\
SHAKE-256
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/policies/FIPS.pol
new/fedora-crypto-policies-20230614.5f3458e/policies/FIPS.pol
--- old/fedora-crypto-policies-20230420.3d08ae7/policies/FIPS.pol
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/policies/FIPS.pol
2023-06-14 15:28:09.000000000 +0200
@@ -14,8 +14,8 @@
mac = AEAD HMAC-SHA2-256 HMAC-SHA1 HMAC-SHA2-384 HMAC-SHA2-512
-group = SECP256R1 SECP384R1 SECP521R1 \
- FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
+group = SECP256R1 SECP521R1 SECP384R1 \
+ FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
hash = SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/policies/FUTURE.pol
new/fedora-crypto-policies-20230614.5f3458e/policies/FUTURE.pol
--- old/fedora-crypto-policies-20230420.3d08ae7/policies/FUTURE.pol
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/policies/FUTURE.pol
2023-06-14 15:28:09.000000000 +0200
@@ -18,8 +18,8 @@
mac = AEAD HMAC-SHA2-256 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
-group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \
- FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
+group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \
+ FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHAKE-256
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/policies/LEGACY.pol
new/fedora-crypto-policies-20230614.5f3458e/policies/LEGACY.pol
--- old/fedora-crypto-policies-20230420.3d08ae7/policies/LEGACY.pol
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/policies/LEGACY.pol
2023-06-14 15:28:09.000000000 +0200
@@ -17,8 +17,8 @@
mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
-group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \
- FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 FFDHE-1536
+group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \
+ FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 FFDHE-1536
group@SSH = FFDHE-1024+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/policies/TEST-FEDORA39.pol
new/fedora-crypto-policies-20230614.5f3458e/policies/TEST-FEDORA39.pol
--- old/fedora-crypto-policies-20230420.3d08ae7/policies/TEST-FEDORA39.pol
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/policies/TEST-FEDORA39.pol
2023-06-14 15:28:09.000000000 +0200
@@ -13,8 +13,8 @@
mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
-group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \
- FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
+group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \
+ FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA3-224
\
SHAKE-256
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/DEFAULT.pol
new/fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/DEFAULT.pol
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/DEFAULT.pol
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/DEFAULT.pol
2023-06-14 15:28:09.000000000 +0200
@@ -14,8 +14,8 @@
mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
-group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \
- FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
+group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \
+ FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA*-224 SHAKE-256
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FIPS.pol
new/fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FIPS.pol
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FIPS.pol
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FIPS.pol
2023-06-14 15:28:09.000000000 +0200
@@ -14,8 +14,8 @@
mac = AEAD HMAC-SHA2-256 HMAC-SHA1 HMAC-SHA2-384 HMAC-SHA2-512
-group = SECP256R1 SECP384R1 SECP521R1 \
- FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
+group = SECP256R1 SECP521R1 SECP384R1 \
+ FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
hash = SHA2-256 SHA2-384 SHA2-512 SHA2-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-256
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FUTURE.pol
new/fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FUTURE.pol
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FUTURE.pol
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/FUTURE.pol
2023-06-14 15:28:09.000000000 +0200
@@ -18,8 +18,8 @@
mac = AEAD HMAC-SHA2-256 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
-group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \
- FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
+group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \
+ FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHAKE-256
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/LEGACY.pol
new/fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/LEGACY.pol
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/LEGACY.pol
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/alternative-policies/LEGACY.pol
2023-06-14 15:28:09.000000000 +0200
@@ -17,11 +17,12 @@
mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
-group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \
- FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 FFDHE-1536
+group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \
+ FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 FFDHE-1536
-ssh_group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 \
- FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 FFDHE-1536
FFDHE-1024
+ssh_group = X25519 SECP256R1 X448 SECP521R1 SECP384R1 \
+ FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192 \
+ FFDHE-1536 FFDHE-1024
hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA*-224 SHAKE-* \
SHA1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-gnutls.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-gnutls.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-gnutls.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-gnutls.txt
2023-06-14 15:28:09.000000000 +0200
@@ -15,10 +15,10 @@
tls-enabled-mac = SHA1
tls-enabled-mac = SHA512
tls-enabled-group = GROUP-X25519
-tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP256R1
-tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
tls-enabled-group = GROUP-FFDHE2048
tls-enabled-group = GROUP-FFDHE3072
tls-enabled-group = GROUP-FFDHE4096
@@ -79,10 +79,10 @@
secure-sig-for-cert = ECDSA-SHA3-224
secure-sig-for-cert = RSA-SHA3-224
enabled-curve = X25519
-enabled-curve = X448
enabled-curve = SECP256R1
-enabled-curve = SECP384R1
+enabled-curve = X448
enabled-curve = SECP521R1
+enabled-curve = SECP384R1
enabled-curve = Ed25519
enabled-curve = Ed448
tls-enabled-cipher = AES-256-GCM
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-libreswan.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-libreswan.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-libreswan.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-libreswan.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
conn %default
ikev2=insist
pfs=yes
-
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18
+
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18
esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-nss.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-nss.txt
--- old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-nss.txt
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-nss.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-opensslcnf.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-opensslcnf.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-opensslcnf.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT-opensslcnf.txt
2023-06-14 15:28:09.000000000 +0200
@@ -5,7 +5,7 @@
DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
-Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
[openssl_init]
alg_section = evp_properties
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-gnutls.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-gnutls.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-gnutls.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-gnutls.txt
2023-06-14 15:28:09.000000000 +0200
@@ -16,10 +16,10 @@
tls-enabled-mac = SHA1
tls-enabled-mac = SHA512
tls-enabled-group = GROUP-X25519
-tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP256R1
-tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
tls-enabled-group = GROUP-FFDHE2048
tls-enabled-group = GROUP-FFDHE3072
tls-enabled-group = GROUP-FFDHE4096
@@ -87,10 +87,10 @@
secure-sig-for-cert = dsa-sha1
secure-sig-for-cert = ecdsa-sha1
enabled-curve = X25519
-enabled-curve = X448
enabled-curve = SECP256R1
-enabled-curve = SECP384R1
+enabled-curve = X448
enabled-curve = SECP521R1
+enabled-curve = SECP384R1
enabled-curve = Ed25519
enabled-curve = Ed448
tls-enabled-cipher = AES-256-GCM
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-libreswan.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-libreswan.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-libreswan.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-libreswan.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
conn %default
ikev2=insist
pfs=yes
-
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18
+
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18
esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512,rsa-sha1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-nss.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-nss.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-nss.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-nss.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
2023-06-14 15:28:09.000000000 +0200
@@ -5,7 +5,7 @@
DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
-Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
[openssl_init]
alg_section = evp_properties
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-gnutls.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-gnutls.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-gnutls.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-gnutls.txt
2023-06-14 15:28:09.000000000 +0200
@@ -15,10 +15,10 @@
tls-enabled-mac = SHA1
tls-enabled-mac = SHA512
tls-enabled-group = GROUP-X25519
-tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP256R1
-tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
tls-enabled-group = GROUP-FFDHE2048
tls-enabled-group = GROUP-FFDHE3072
tls-enabled-group = GROUP-FFDHE4096
@@ -79,10 +79,10 @@
secure-sig-for-cert = ECDSA-SHA3-224
secure-sig-for-cert = RSA-SHA3-224
enabled-curve = X25519
-enabled-curve = X448
enabled-curve = SECP256R1
-enabled-curve = SECP384R1
+enabled-curve = X448
enabled-curve = SECP521R1
+enabled-curve = SECP384R1
enabled-curve = Ed25519
enabled-curve = Ed448
tls-enabled-cipher = AES-256-GCM
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-libreswan.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-libreswan.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-libreswan.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-libreswan.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
conn %default
ikev2=insist
pfs=yes
-
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18
+
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18
esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-nss.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-nss.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-nss.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-nss.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-opensslcnf.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-opensslcnf.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-opensslcnf.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/DEFAULT:GOST-opensslcnf.txt
2023-06-14 15:28:09.000000000 +0200
@@ -5,7 +5,7 @@
DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
-Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
[openssl_init]
alg_section = evp_properties
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FEDORA38-gnutls.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-gnutls.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FEDORA38-gnutls.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-gnutls.txt
2023-06-14 15:28:09.000000000 +0200
@@ -15,10 +15,10 @@
tls-enabled-mac = SHA1
tls-enabled-mac = SHA512
tls-enabled-group = GROUP-X25519
-tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP256R1
-tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
tls-enabled-group = GROUP-FFDHE2048
tls-enabled-group = GROUP-FFDHE3072
tls-enabled-group = GROUP-FFDHE4096
@@ -79,10 +79,10 @@
secure-sig-for-cert = ECDSA-SHA3-224
secure-sig-for-cert = RSA-SHA3-224
enabled-curve = X25519
-enabled-curve = X448
enabled-curve = SECP256R1
-enabled-curve = SECP384R1
+enabled-curve = X448
enabled-curve = SECP521R1
+enabled-curve = SECP384R1
enabled-curve = Ed25519
enabled-curve = Ed448
tls-enabled-cipher = AES-256-GCM
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FEDORA38-libreswan.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-libreswan.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FEDORA38-libreswan.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-libreswan.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
conn %default
ikev2=insist
pfs=yes
-
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18
+
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18
esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FEDORA38-nss.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-nss.txt
--- old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FEDORA38-nss.txt
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-nss.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FEDORA38-opensslcnf.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-opensslcnf.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FEDORA38-opensslcnf.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FEDORA38-opensslcnf.txt
2023-06-14 15:28:09.000000000 +0200
@@ -5,7 +5,7 @@
DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
-Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
[openssl_init]
alg_section = evp_properties
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-gnutls.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-gnutls.txt
--- old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-gnutls.txt
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-gnutls.txt
2023-06-14 15:28:09.000000000 +0200
@@ -14,8 +14,8 @@
tls-enabled-mac = SHA1
tls-enabled-mac = SHA512
tls-enabled-group = GROUP-SECP256R1
-tls-enabled-group = GROUP-SECP384R1
tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
tls-enabled-group = GROUP-FFDHE2048
tls-enabled-group = GROUP-FFDHE3072
tls-enabled-group = GROUP-FFDHE4096
@@ -68,8 +68,8 @@
secure-sig-for-cert = ECDSA-SHA224
secure-sig-for-cert = RSA-SHA224
enabled-curve = SECP256R1
-enabled-curve = SECP384R1
enabled-curve = SECP521R1
+enabled-curve = SECP384R1
tls-enabled-cipher = AES-256-GCM
tls-enabled-cipher = AES-256-CCM
tls-enabled-cipher = AES-256-CBC
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-libreswan.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-libreswan.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-libreswan.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-libreswan.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
conn %default
ikev2=insist
pfs=yes
-
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh20+dh21+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh20+dh21+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh20+dh21+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh20+dh21+dh15+dh16+dh18
+
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh21+dh20+dh15+dh16+dh18
esp=aes_gcm256,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-nss.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-nss.txt
--- old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-nss.txt
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-nss.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-opensslcnf.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-opensslcnf.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-opensslcnf.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS-opensslcnf.txt
2023-06-14 15:28:09.000000000 +0200
@@ -5,7 +5,7 @@
DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
-Groups =
secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+Groups =
secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
[openssl_init]
alg_section = evp_properties
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-gnutls.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-gnutls.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-gnutls.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-gnutls.txt
2023-06-14 15:28:09.000000000 +0200
@@ -14,8 +14,8 @@
tls-enabled-mac = SHA1
tls-enabled-mac = SHA512
tls-enabled-group = GROUP-SECP256R1
-tls-enabled-group = GROUP-SECP384R1
tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
secure-sig = ECDSA-SHA3-256
secure-sig = ECDSA-SHA256
secure-sig = ECDSA-SECP256R1-SHA256
@@ -63,8 +63,8 @@
secure-sig-for-cert = ECDSA-SHA224
secure-sig-for-cert = RSA-SHA224
enabled-curve = SECP256R1
-enabled-curve = SECP384R1
enabled-curve = SECP521R1
+enabled-curve = SECP384R1
tls-enabled-cipher = AES-256-GCM
tls-enabled-cipher = AES-256-CCM
tls-enabled-cipher = AES-256-CBC
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-libreswan.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-libreswan.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-libreswan.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-libreswan.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
conn %default
ikev2=insist
pfs=yes
-
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21,aes256-sha2_512+sha2_256-dh19+dh20+dh21,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21,aes128-sha2_256-dh19+dh20+dh21
+
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh21+dh20,aes256-sha2_512+sha2_256-dh19+dh21+dh20,aes_gcm128-sha2_512+sha2_256-dh19+dh21+dh20,aes128-sha2_256-dh19+dh21+dh20
esp=aes_gcm256,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-nss.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
2023-06-14 15:28:09.000000000 +0200
@@ -5,7 +5,7 @@
DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
-Groups = secp256r1:secp384r1:secp521r1
+Groups = secp256r1:secp521r1:secp384r1
[openssl_init]
alg_section = evp_properties
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-gnutls.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-gnutls.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-gnutls.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-gnutls.txt
2023-06-14 15:28:09.000000000 +0200
@@ -9,8 +9,8 @@
tls-enabled-mac = AEAD
tls-enabled-mac = SHA512
tls-enabled-group = GROUP-SECP256R1
-tls-enabled-group = GROUP-SECP384R1
tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
tls-enabled-group = GROUP-FFDHE2048
tls-enabled-group = GROUP-FFDHE3072
tls-enabled-group = GROUP-FFDHE4096
@@ -59,8 +59,8 @@
secure-sig-for-cert = RSA-SHA3-512
secure-sig-for-cert = RSA-SHA512
enabled-curve = SECP256R1
-enabled-curve = SECP384R1
enabled-curve = SECP521R1
+enabled-curve = SECP384R1
tls-enabled-cipher = AES-256-GCM
tls-enabled-cipher = AES-256-CBC
tls-enabled-cipher = AES-128-GCM
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-libreswan.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-libreswan.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-libreswan.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-libreswan.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
conn %default
ikev2=insist
pfs=yes
-
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh20+dh21+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh20+dh21+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh20+dh21+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh20+dh21+dh15+dh16+dh18
+
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh21+dh20+dh15+dh16+dh18
esp=aes_gcm256,aes256-sha2_512+sha2_256,aes_gcm128,aes128-sha2_256
authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-nss.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-nss.txt
--- old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-nss.txt
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-nss.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-opensslcnf.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-opensslcnf.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-opensslcnf.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FIPS:OSPP-opensslcnf.txt
2023-06-14 15:28:09.000000000 +0200
@@ -5,7 +5,7 @@
DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
-Groups =
secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+Groups =
secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
[openssl_init]
alg_section = evp_properties
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-gnutls.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-gnutls.txt
--- old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-gnutls.txt
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-gnutls.txt
2023-06-14 15:28:09.000000000 +0200
@@ -12,10 +12,10 @@
tls-enabled-mac = AEAD
tls-enabled-mac = SHA512
tls-enabled-group = GROUP-X25519
-tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP256R1
-tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
tls-enabled-group = GROUP-FFDHE3072
tls-enabled-group = GROUP-FFDHE4096
tls-enabled-group = GROUP-FFDHE6144
@@ -67,10 +67,10 @@
secure-sig-for-cert = RSA-SHA3-512
secure-sig-for-cert = RSA-SHA512
enabled-curve = X25519
-enabled-curve = X448
enabled-curve = SECP256R1
-enabled-curve = SECP384R1
+enabled-curve = X448
enabled-curve = SECP521R1
+enabled-curve = SECP384R1
enabled-curve = Ed25519
enabled-curve = Ed448
tls-enabled-cipher = AES-256-GCM
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-libreswan.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-libreswan.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-libreswan.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-libreswan.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
conn %default
ikev2=insist
pfs=yes
-
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh31+dh20+dh21+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh31+dh20+dh21+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh31+dh20+dh21+dh15+dh16+dh18
+
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh31+dh21+dh20+dh15+dh16+dh18
esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha2_256
authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-nss.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-nss.txt
--- old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-nss.txt
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-nss.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
+config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-opensslcnf.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-opensslcnf.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-opensslcnf.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/FUTURE-opensslcnf.txt
2023-06-14 15:28:09.000000000 +0200
@@ -5,7 +5,7 @@
DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
-Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
[openssl_init]
alg_section = evp_properties
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-gnutls.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-gnutls.txt
--- old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-gnutls.txt
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-gnutls.txt
2023-06-14 15:28:09.000000000 +0200
@@ -17,10 +17,10 @@
tls-enabled-mac = SHA1
tls-enabled-mac = SHA512
tls-enabled-group = GROUP-X25519
-tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP256R1
-tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
tls-enabled-group = GROUP-FFDHE2048
tls-enabled-group = GROUP-FFDHE3072
tls-enabled-group = GROUP-FFDHE4096
@@ -104,10 +104,10 @@
secure-sig-for-cert = dsa-sha1
secure-sig-for-cert = ecdsa-sha1
enabled-curve = X25519
-enabled-curve = X448
enabled-curve = SECP256R1
-enabled-curve = SECP384R1
+enabled-curve = X448
enabled-curve = SECP521R1
+enabled-curve = SECP384R1
enabled-curve = Ed25519
enabled-curve = Ed448
tls-enabled-cipher = AES-256-GCM
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-libreswan.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-libreswan.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-libreswan.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-libreswan.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
conn %default
ikev2=insist
pfs=yes
-
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18+dh5,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18+dh5,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18+dh5,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18+dh5,aes128-sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18+dh5
+
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18+dh5,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18+dh5,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18+dh5,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18+dh5,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18+dh5
esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512,rsa-sha1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-nss.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-nss.txt
--- old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-nss.txt
2023-04-20 16:24:37.000000000 +0200
+++ new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-nss.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1024:DSA-MIN=1024:RSA-MIN=1024"
+config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1024:DSA-MIN=1024:RSA-MIN=1024"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-opensslcnf.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-opensslcnf.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-opensslcnf.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY-opensslcnf.txt
2023-06-14 15:28:09.000000000 +0200
@@ -5,7 +5,7 @@
DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
-Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
[openssl_init]
alg_section = evp_properties
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-gnutls.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-gnutls.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-gnutls.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-gnutls.txt
2023-06-14 15:28:09.000000000 +0200
@@ -17,10 +17,10 @@
tls-enabled-mac = SHA1
tls-enabled-mac = SHA512
tls-enabled-group = GROUP-X25519
-tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP256R1
-tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
tls-enabled-group = GROUP-FFDHE2048
tls-enabled-group = GROUP-FFDHE3072
tls-enabled-group = GROUP-FFDHE4096
@@ -104,10 +104,10 @@
secure-sig-for-cert = dsa-sha1
secure-sig-for-cert = ecdsa-sha1
enabled-curve = X25519
-enabled-curve = X448
enabled-curve = SECP256R1
-enabled-curve = SECP384R1
+enabled-curve = X448
enabled-curve = SECP521R1
+enabled-curve = SECP384R1
enabled-curve = Ed25519
enabled-curve = Ed448
tls-enabled-cipher = AES-256-GCM
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-libreswan.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-libreswan.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-libreswan.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-libreswan.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
conn %default
ikev2=insist
pfs=yes
-
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18+dh5,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18+dh5,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18+dh5,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18+dh5,aes128-sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18+dh5
+
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18+dh5,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18+dh5,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18+dh5,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18+dh5,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18+dh5
esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512,rsa-sha1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-nss.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-nss.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-nss.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-nss.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1024:DSA-MIN=1024:RSA-MIN=1024"
+config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:des-ede3-cbc:SHA256:SHA384:SHA512:SHA224:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:ECDSA:RSA-PSS:RSA-PKCS:DSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1024:DSA-MIN=1024:RSA-MIN=1024"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
2023-06-14 15:28:09.000000000 +0200
@@ -5,7 +5,7 @@
DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
-Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
[openssl_init]
alg_section = evp_properties
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/TEST-FEDORA39-gnutls.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-gnutls.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/TEST-FEDORA39-gnutls.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-gnutls.txt
2023-06-14 15:28:09.000000000 +0200
@@ -15,10 +15,10 @@
tls-enabled-mac = SHA1
tls-enabled-mac = SHA512
tls-enabled-group = GROUP-X25519
-tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP256R1
-tls-enabled-group = GROUP-SECP384R1
+tls-enabled-group = GROUP-X448
tls-enabled-group = GROUP-SECP521R1
+tls-enabled-group = GROUP-SECP384R1
tls-enabled-group = GROUP-FFDHE2048
tls-enabled-group = GROUP-FFDHE3072
tls-enabled-group = GROUP-FFDHE4096
@@ -79,10 +79,10 @@
secure-sig-for-cert = ECDSA-SHA3-224
secure-sig-for-cert = RSA-SHA3-224
enabled-curve = X25519
-enabled-curve = X448
enabled-curve = SECP256R1
-enabled-curve = SECP384R1
+enabled-curve = X448
enabled-curve = SECP521R1
+enabled-curve = SECP384R1
enabled-curve = Ed25519
enabled-curve = Ed448
tls-enabled-cipher = AES-256-GCM
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/TEST-FEDORA39-libreswan.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-libreswan.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/TEST-FEDORA39-libreswan.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-libreswan.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
conn %default
ikev2=insist
pfs=yes
-
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh20+dh21+dh15+dh16+dh18
+
ike=aes_gcm256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18,aes128-sha2_256-dh19+dh14+dh31+dh21+dh20+dh15+dh16+dh18
esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
authby=ecdsa-sha2_256,ecdsa-sha2_384,ecdsa-sha2_512,rsa-sha2_256,rsa-sha2_384,rsa-sha2_512
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/TEST-FEDORA39-nss.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-nss.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/TEST-FEDORA39-nss.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-nss.txt
2023-06-14 15:28:09.000000000 +0200
@@ -1,6 +1,6 @@
library=
name=Policy
NSS=flags=policyOnly,moduleDB
-config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
+config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP521R1:SECP384R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/TEST-FEDORA39-opensslcnf.txt
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-opensslcnf.txt
---
old/fedora-crypto-policies-20230420.3d08ae7/tests/outputs/TEST-FEDORA39-opensslcnf.txt
2023-04-20 16:24:37.000000000 +0200
+++
new/fedora-crypto-policies-20230614.5f3458e/tests/outputs/TEST-FEDORA39-opensslcnf.txt
2023-06-14 15:28:09.000000000 +0200
@@ -5,7 +5,7 @@
DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
-Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+Groups =
X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
[openssl_init]
alg_section = evp_properties
++++++ fips-finish-install.8.gz ++++++
--- /var/tmp/diff_new_pack.IouMal/_old 2023-07-27 16:50:55.989856528 +0200
+++ /var/tmp/diff_new_pack.IouMal/_new 2023-07-27 16:50:55.997856573 +0200
@@ -2,12 +2,12 @@
.\" Title: fips-finish-install
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 05/25/2023
+.\" Date: 07/13/2023
.\" Manual: \ \&
.\" Source: fips-finish-install
.\" Language: English
.\"
-.TH "FIPS\-FINISH\-INSTAL" "8" "05/25/2023" "fips\-finish\-install" "\ \&"
+.TH "FIPS\-FINISH\-INSTAL" "8" "07/13/2023" "fips\-finish\-install" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
++++++ fips-mode-setup.8.gz ++++++
--- /var/tmp/diff_new_pack.IouMal/_old 2023-07-27 16:50:56.017856686 +0200
+++ /var/tmp/diff_new_pack.IouMal/_new 2023-07-27 16:50:56.021856709 +0200
@@ -2,12 +2,12 @@
.\" Title: fips-mode-setup
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 05/25/2023
+.\" Date: 07/13/2023
.\" Manual: \ \&
.\" Source: fips-mode-setup
.\" Language: English
.\"
-.TH "FIPS\-MODE\-SETUP" "8" "05/25/2023" "fips\-mode\-setup" "\ \&"
+.TH "FIPS\-MODE\-SETUP" "8" "07/13/2023" "fips\-mode\-setup" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
++++++ update-crypto-policies.8.gz ++++++
--- /var/tmp/diff_new_pack.IouMal/_old 2023-07-27 16:50:56.041856822 +0200
+++ /var/tmp/diff_new_pack.IouMal/_new 2023-07-27 16:50:56.045856844 +0200
@@ -2,12 +2,12 @@
.\" Title: update-crypto-policies
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 05/25/2023
+.\" Date: 07/13/2023
.\" Manual: \ \&
.\" Source: update-crypto-policies
.\" Language: English
.\"
-.TH "UPDATE\-CRYPTO\-POLI" "8" "05/25/2023" "update\-crypto\-policies" "\ \&"
+.TH "UPDATE\-CRYPTO\-POLI" "8" "07/13/2023" "update\-crypto\-policies" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -85,7 +85,7 @@
.sp -1
.IP \(bu 2.3
.\}
-OpenJDK (java\-tls, SSL, TLS) (Supported only for java\-1_8_0\-openjdk and
java\-11\-openjdk)
+OpenJDK (java\-tls, SSL, TLS) (Supported)
.RE
.sp
.RS 4
