diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-04-04 16:25:37 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-06-20 15:50:44 +0200 |
commit | e9366c86ee8434669014fc1544d52e384430072a (patch) | |
tree | 036ff1eb760c05691288a198bbbfb8e915f43e20 /NEWS | |
parent | 90142f2d70018d862cba02067159cad8c7db4239 (diff) | |
download | gnutls-e9366c86ee8434669014fc1544d52e384430072a.tar.gz |
config: added ability to override and mark algorithms as disabled
This allows the system administrator or the distributor to use
the gnutls configuration file to mark hashes, signature algorithms,
TLS versions, curves, groups, ciphers KX, and MAC algorithms as
insecure (the last four only in the context of a TLS session).
It also allows to set a minimum profile which the applications
cannot fall below.
The options intentionally do not allow marking algorithms as
secure so that the configuration file cannot be used as an attack
vector. This change also makes sure that unsupported and disabled protocols
during compile time (e.g., SSL3.0), do not get listed by gnutls-cli.
The configuration file feature can be disabled at compile time
with an empty --with-system-priority-file.
This patch it introduces the function gnutls_get_system_config_file()
allowing applications to check whether a configuration file
was used.
Resolves: #587
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 21 |
1 files changed, 20 insertions, 1 deletions
@@ -16,7 +16,26 @@ See the end for copying conditions. functional though a compiler warning will be issued, and a future minor version update may transform them to a no-op while keeping the ABI compatibility (#789) -** API and ABI modifications: +** The priority configuration was enhanced to allow more elaborate + system-wide configuration of the library. The following changes were done: + - The file is read as an ini file with '#' indicating a comment. + - The section "[priorities]" or global follows the existing semantics of + the configuration file, and allows to specify system-wide priority strings + which are accessed with the '@' prefix. + - The section "[overrides]" is added with the parameters "insecure-hash", + "insecure-sig", "insecure-sig-for-cert", "disabled-curve", + "disabled-version", "min-verification-profile", "tls-disabled-cipher", + "tls-disabled-mac", "tls-disabled-group", "tls-disabled-kx", which prohibit + specific algorithms or options globally. Existing algorithms in the + library can be marked as disabled and insecure, but no hard-coded + insecure algorithm can be marked as secure (so that the configuration + cannot be abused to make the system vulnerable). + - Unknown sections or options are skipped with a debug message, unless + the GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID environment parameter is + set to 1. + +** API and ABI modifications: +gnutls_get_system_config_file: Added gnutls_crypto_register_cipher: Deprecated gnutls_crypto_register_aead_cipher: Deprecated gnutls_crypto_register_digest: Deprecated |