Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls-gnutls.c: Use system crypto policy if available #1105

Merged
merged 1 commit into from
Dec 6, 2024
Merged

tls-gnutls.c: Use system crypto policy if available #1105

merged 1 commit into from
Dec 6, 2024

Conversation

zdohnal
Copy link
Member

@zdohnal zdohnal commented Dec 4, 2024

Some Linux systems provide a way how to control cryptography on system or service level via cryptographic policies. OpenSSL implementation reflects system changes to some degree, however GnuTLS implementation does not take system policy into account.

GnuTLS supports fallback mechanism, so we can fallback to NORMAL if @System is not defined on the system.

Fortunately, the current GnuTLS implementation allows overrides via priority strings (so no "this cipher/hash is disabled" if we enabled them in our application by priority string), so allowing to honor system policy can save us work if someone wants to disable a specific cipher, so we don't have to implement it in libcups.

@zdohnal
tls-gnutls.c: Use system crypto policy if available
d3474cc 
Some Linux systems provide a way how to control cryptography on system
or service level via cryptographic policies. OpenSSL implementation
reflects system changes to some degree, however GnuTLS implementation
does not take system policy into account.

GnuTLS supports fallback mechanism, so we can fallback to NORMAL if
@System is not defined on the system.

Fortunately, the current GnuTLS implementation allows overrides via
priority strings (so no "this cipher/hash is disabled" if we enabled
them in our application by priority string), so allowing to honor system
policy can save us work if someone wants to disable a specific cipher,
so we don't have to implement it in libcups.
@zdohnal zdohnal requested a review from michaelrsweet December 4, 2024 18:27
michaelrsweet
michaelrsweet approved these changes Dec 5, 2024
View reviewed changes
Copy link
Member

@michaelrsweet michaelrsweet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see "@System" documented explicitly in the GNU TLS docos, but "@Keyword" is allowed so I have no hard objection.

@zdohnal
Copy link
Member Author

zdohnal commented Dec 6, 2024

@michaelrsweet I saw both cases in https://gnutls.org/manual/html_node/Priority-Strings.html , but "SYSTEM" did not work as intended (it somehow replaced all other priority strings and our changes in implementation did not matter), but "@System" did the trick the way I expected - the cipher list stayed the same for specific SSLOptions, only the ciphers disabled by crypto policy were missing.

@zdohnal zdohnal merged commit ec1b91e into OpenPrinting:master Dec 6, 2024
4 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelrsweet michaelrsweet michaelrsweet approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zdohnal @michaelrsweet