1489825 – go: Respect system-wide crypto-policies

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1489825 - go: Respect system-wide crypto-policies

Summary: go: Respect system-wide crypto-policies

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	golang
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jakub Čajka
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	fedora-crypto-policies 1527035
TreeView+	depends on / blocked

Reported:	2017-09-08 12:26 UTC by Nikos Mavrogiannopoulos
Modified:	2022-06-30 20:07 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1527035 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nikos Mavrogiannopoulos 2017-09-08 12:26:12 UTC

Fedora has switch to system-wide default crypto policies for TLS and other crypto packages:
https://fedoraproject.org/wiki/Packaging:CryptoPolicies
https://fedoraproject.org/wiki/User:Nmav/FedoraCryptoPolicies


As it is now Go applications don't respect the system policy, making them distinct from other system applications.

If go uses a configuration to adjust TLS library behavior, please suggest a patch to crypto policies upstream [0] to generate such a file. If not please advise on the appropriate path to follow for go applications to behave similarly to other system applications.

[This is a proposal for collaboration, please let me know whether that can be done in our current setup of Java and how, and if not, the steps that are required to achieve that goal]

[0]. https://gitlab.com/nmav/fedora-crypto-policies/

Comment 1 Jakub Čajka 2017-09-19 11:52:42 UTC

Is there somewhere described the crypto policy in general terms? From first look this seems to be more fit for each individual package/project using Go stdlib, than stdlib itself(as it doesn't provide any facility to disable individual algorithms at runtime).

Comment 2 Nikos Mavrogiannopoulos 2017-09-19 12:55:49 UTC

The idea is described in:
https://gitlab.com/nmav/fedora-crypto-policies/blob/master/update-crypto-policies.8.txt
https://fedoraproject.org/wiki/Changes/CryptoPolicy

We want to be able to provide a default system policy which _all_ packages in the system respect.

Comment 4 Fedora End Of Life 2018-02-20 15:26:29 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

Comment 5 Fedora Admin user for bugzilla script actions 2022-06-30 20:07:22 UTC

This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.

Note You need to log in before you can comment on or make changes to this bug.