Hi Rob, * Dne Pátek 18. březen 2016, 15:44:34 [CET] Rob Crittenden napsal: > > >>Thanks for the patch! I created https://fedorahosted.org/mod_nss/ticket/25 > >>to track this. > > > >Thanks, I updated the patch in there. > > Ok thanks, I'll take a look.
The new patch incorporates suggestions from your first email. > >>Some comments: > >> > >>I think it would be best to completely drop get_ciphers and the lines that > >>were calling it. > >> > >>There is a problem though. > > > >I sort of expected that this step may cause some problems, that's why > >I left the code in, but commented it out. > > > >>In Fedora/RHEL/CentOS there is a movement towards a > >>system-level SSL/TLS configuration. This leaves an unusable configuration > >>of: > >> > >>NSSCipherSuite PROFILE=SYSTEM > >>NSSProxyCipherSuite PROFILE=SYSTEM > >> > >>This is because NSS is almost, but not quite, there when it comes to > >>system-level config and it is going to be configured differently. > >> > >>The OpenSSL policy file in Fedora is > >>/etc/crypto-policies/back-ends/openssl.config. I don't know how safe it is > >>to slurp that in and use it. On my box it is just a cipher string. > >> > >>So either the system config needs to be read and the values replaced or > >>get_ciphers needs to be updated big time. I'd prefer the former. > > > >If centralized cipher settings are in place, then the migrate.pl script > >should definitely be aware of them. > >This is however Fedora/RHEL specific. > >I think, we can keep the cipher string on other distributions. > > Yup. I think we can just look for PROFILE=SYSTEM and slurp in > /etc/crypto-policies/back-ends/openssl.config. I can add this on after your > patch if you'd prefer. I wouldn't, feel free to modify the patch. -- Vita Cizek
signature.asc
Description: Digital signature
_______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
