Announcement
Collapse
No announcement yet.
Fedora Looks At Tightening Its Crypto Policies Next Year
Collapse
X
-
I really don't understand why they are so late for this.
My current institution is already actively blocking ssh-servers that are still using SHA-1 or other weaker ciphers, effectively making the default Fedora SSH server unusable.
Leave a comment:
-
This command to revert RHEL to a more tolerant crypto policy helped me in the past. Hopefully it also works for Fedora...
This article summarizes the rationale behind Red Hat Enterprise Linux crypto policies, and provides information on its default settings, and instructions on how it can be used.
and https://access.redhat.com/documentat...aphic-policies
$ update-crypto-policies --show
DEFAULT
$ sudo update-crypto-policies --set LEGACY
Setting system policy to LEGACYLast edited by johncall; 30 April 2022, 11:31 AM.
- Likes 4
Leave a comment:
-
SHA-1 served us well for quite a period of time, but the weakness's are now well known (and the crypto community will only get better), so it is widely accepted that SHA-1 should not be used into the future, while realizing that existing signatures will need to be recognized during the lifetime of the original sources, and providing a transition period (some CA certs may still exist with only a SHA-1 signature)
With EL9 (beta) RedHat default policy already distrusts SHA-1 (being a 10 year supported distro, it is expected that during that timeframe the various authorities will require SHA-1 to no longer be used, so they default to distrust now rather than change in the middle of the release), and, not unexpectedly, a few issues were identified (and are being addressed either through targeted overrides, or fixing the processes that still generate SHA-1 only).
- Likes 4
Leave a comment:
-
Fedora Looks At Tightening Its Crypto Policies Next Year
Phoronix: Fedora Looks At Tightening Its Crypto Policies Next Year
Fedora Linux is looking at tightening up its cryptographic policies with next year's Fedora 38/39 releases but for Fedora 37 later this year they will likely begin warning users around the planned changes...
Tags: None
Leave a comment: