Don't hard-code client's TLS versions and ciphers

Client connections no longer override TLS version range and ciphers by default. Instead clients use the default settings from the system's crypto policy. Minimum TLS version is now TLS 1.2. The default crypto policy on RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as minimum version. The minimum version is configured with OpenSSL 1.1.1 APIs. Python 3.6 lacks the setters to override the system policy. The effective minimum version is always TLS 1.2, because FreeIPA reconfigures Apache HTTPd on Fedora. Fixes: https://pagure.io/freeipa/issue/8125 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-11-22 10:42:11 +01:00
parent 0198eca795
commit 639bb71940
6 changed files with 108 additions and 26 deletions
--- a/ipaplatform/redhat/constants.py
+++ b/ipaplatform/redhat/constants.py
@@ -14,10 +14,9 @@ from ipaplatform.base.constants import BaseConstantsNamespace


 class RedHatConstantsNamespace(BaseConstantsNamespace):
-    # System-wide crypto policy, but without TripleDES, pre-shared key,
-    # secure remote password, and DSA cert authentication.
+    # Use system-wide crypto policy
    # see https://fedoraproject.org/wiki/Changes/CryptoPolicy
-    TLS_HIGH_CIPHERS = "PROFILE=SYSTEM:!3DES:!PSK:!SRP:!aDSS"
+    TLS_HIGH_CIPHERS = None


 constants = RedHatConstantsNamespace()