No announcement yet.

Fedora Looks At Tightening Its Crypto Policies Next Year

  • Filter
  • Time
  • Show
Clear All
new posts

  • Fedora Looks At Tightening Its Crypto Policies Next Year

    Phoronix: Fedora Looks At Tightening Its Crypto Policies Next Year

    Fedora Linux is looking at tightening up its cryptographic policies with next year's Fedora 38/39 releases but for Fedora 37 later this year they will likely begin warning users around the planned changes...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    SHA-1 served us well for quite a period of time, but the weakness's are now well known (and the crypto community will only get better), so it is widely accepted that SHA-1 should not be used into the future, while realizing that existing signatures will need to be recognized during the lifetime of the original sources, and providing a transition period (some CA certs may still exist with only a SHA-1 signature)

    With EL9 (beta) RedHat default policy already distrusts SHA-1 (being a 10 year supported distro, it is expected that during that timeframe the various authorities will require SHA-1 to no longer be used, so they default to distrust now rather than change in the middle of the release), and, not unexpectedly, a few issues were identified (and are being addressed either through targeted overrides, or fixing the processes that still generate SHA-1 only).


    • #3
      This command to revert RHEL to a more tolerant crypto policy helped me in the past. Hopefully it also works for Fedora...

      This article summarizes the rationale behind Red Hat Enterprise Linux crypto policies, and provides information on its default settings, and instructions on how it can be used.


      $ update-crypto-policies --show

      $ sudo update-crypto-policies --set LEGACY
      Setting system policy to LEGACY
      Last edited by johncall; 30 April 2022, 11:31 AM.


      • #4
        I really don't understand why they are so late for this.

        My current institution is already actively blocking ssh-servers that are still using SHA-1 or other weaker ciphers, effectively making the default Fedora SSH server unusable.


        • #5
          Good. it's about time...