[CentOS] easy way to stop old ssl's

Sat Oct 12 17:33:40 UTC 2019
Warren Young <warren at etr-usa.com>

On Oct 12, 2019, at 4:06 AM, Markus Falb <markus.falb at fasel.at> wrote:
> On 11.10.19 22:40, Warren Young wrote:
>> Just ship a new HTTPS configuration to each server.
> Instead of configuring every application separataly it would be nice if
> "accepted levels of security" could be set system wide.

…which implies that there is some authority that defines “accepted level” the way you’d do it if you could be bothered to think through all of the use cases, combinations, and implications.

Who is that central organization?  Are you sure their notions match your own?

> With 8 it seems there is such a thing
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
> Although I believe that FIPS mode is also available in 7

That’s FIPS 140-2, a standard from 2001, which is three TLS standards ago.

FIPS 140-3 just barely became effective a few weeks ago, which means it won’t be considered for inclusion in RHEL until 9, which I don’t expect to appear until 3-4 years from now, by which time FIPS 140-2 will be around 21 years old.

So, we not only have a situation where adopting FIPS 140-2 requires that you use badly outdated security technologies, it also means you might not be able to communicate with those that do support modern standards, if they’ve dropped compatibility with 2001 era tech sometime in the last 18 years.

If we can be well-guided by past events, there’s a better than 50/50 chance that any given person on this list won’t even be in IT any more when FIPS 140-4 comes out.