This Page collects information about what Debian can do or what might be feasible to allow the administrator of a system more control over cryptographic parameters like used cyphers, protocols, ....
This is inspired by Fedora's CryptoPolicy: https://fedoraproject.org/wiki/Changes/CryptoPolicy
Fedora's CryptoPolicy is roughly about:
- extend crypto libraries to allow software to refer to a system-wide policy (@SYSTEM in Gnutls (already upstream), PROFILE=SYSTEM in OpenSSL (patches available)).
- change all program's defaults and hardcoded values to use those system-wide defaults
- some framework including a update-crypto-policies program to control the system-wide policy
some set of profiles (LEGACY,DEFAULT,FUTURE) to set the system to (including historic profiles available as DEFAULT-F<oldnum>)
Possible actions for Debian
supporting using profiles in crypto libraries
Debian could look at the patches used by Fedora and include them, too. (Even if doing nothing, Fedora will hopefully manage to get them upsream so in the end we might get them anyway).
offering a update-crypo-policies framework
Either packaging was Fedora has (possibly adopting it to our needs) or writing something equivalent of ourself.
Crypto settings in applications
Once the framework is available, it is about changing programs to use them.
Possible early steps:
- identify affacted software
- possibly also extending software to no longer hardcode anything
- (Having a policy affecting everything has the disadvantage of you not being able to chose a system wide policy stronger than the weakest needed settings of a software that cannot be configured to use something by the admin via configuration)