On Fri, Aug 27, 2021 at 6:28 PM przemek klosowski via devel <devel@lists.fedoraproject.org> wrote: > > > On 8/25/21 4:54 AM, Alexander Sosedkin wrote: > > It's not ideal if one obsolete website forces downgrading the security > potentially for all the connections. I hope 5) is addressing that. > > That's something apps and only apps can handle. > > Well, but if the system policy says that TLS1.0 is banned, the only way for > the app to downgrade would be if it had its own TLS stack, right?
The right way is to make the library provide an API that overrides these defaults, and the application to call that API when it's confident it should deviate from the distribution defaults. The current way is that some libraries allow such overriding and some don't. > I do realize that the current policy mechanism is not designed for narrow > deviations, I am just pointing out that it's not ideal because in practice > people downgrade because they need narrow deviations for specific > connections, and as you well know, relaxing the rules for all connections > opens the door to downgrade attacks even on the connections that are capable > of TLS2.0. > > I am asking if there is another way, for instance by having a per-interface > policies, and setting up the relaxed rules for an interface that routes > traffic to this one deficient remote endpoint. It'd be very interesting, hard, and abstraction-permeating to make crypto library configuration depend on endpoints or interfaces, but this is definitely something that should start from within either apps or crypto libraries themselves. crypto-policies is the furthermost component away from things like interfaces and endpoints. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
