[ol9_baseos_latest] crypto-policies-scripts-20220223-1.git5203b41.el9_0.1.noarch

Name:	crypto-policies-scripts
Version:	20220223
Release:	1.git5203b41.el9_0.1
Architecture:	noarch
Group:	Unspecified
Size:	228395
License:	LGPLv2+
RPM:	crypto-policies-scripts-20220223-1.git5203b41.el9_0.1.noarch.rpm
Source RPM:	crypto-policies-20220223-1.git5203b41.el9_0.1.src.rpm
Build Date:	Thu May 26 2022
Build Host:	build-ol9-x86_64.oracle.com
Vendor:	Oracle America
URL:	https://gitlab.com/redhat-crypto/fedora-crypto-policies
Summary:	Tool to switch between crypto policies
Description:	This package provides a tool update-crypto-policies, which applies the policies provided by the crypto-policies package. These can be either the pre-built policies from the base package or custom policies defined in simple policy definition files. The package also provides a tool fips-mode-setup, which can be used to enable or disable the system FIPS mode.

Changelog (Show File list) (Show related packages)

Mon Apr 04 2022 Alexander Sosedkin <asosedkin@redhat.com> - 20220223-1.git5203b41.1
```
- DEFAULT: drop DNSSEC SHA-1 exception
```

Wed Feb 23 2022 Alexander Sosedkin <asosedkin@redhat.com> - 20220223-1.git5203b41

- openssl: allow SHA-1 signatures with rh-allow-sha1-signatures in LEGACY
- update AD-SUPPORT, move RC4 enctype enabling to AD-SUPPORT-LEGACY
- fips-mode-setup: catch more inconsistencies, clarify --check

Thu Feb 03 2022 Alexander Sosedkin <asosedkin@redhat.com> - 20220203-1.gitf03e75e

- gnutls: enable SHAKE, needed for Ed448
- fips-mode-setup: improve handling FIPS plus subpolicies
- FIPS: disable SHA-1 HMAC
- FIPS: disable CBC ciphers except in Kerberos

Tue Feb 01 2022 Alexander Sosedkin <asosedkin@redhat.com> - 20220201-1.git636a91d

- openssl: revert to SECLEVEL=2 in LEGACY
- openssl: add newlines at the end of the output

Mon Nov 15 2021 Alexander Sosedkin <asosedkin@redhat.com> - 20211115-1.git70de135

- OSPP: relax -ECDSA-SHA2-512, -FFDHE-*
- fips-mode-setup, fips-finish-install: call zipl more often (s390x-specific)

Wed Sep 22 2021 Alexander Sosedkin <asosedkin@redhat.com> - 20210922-1.git6fb269b
```
- openssl: fix disabling ChaCha20
- update for pylint 2.11
```

Tue Sep 14 2021 Alexander Sosedkin <asosedkin@redhat.com> - 20210914-1.git97d08ef

- gnutls: reorder ECDSA-SECPMMMR1-SHANNN together with ECDSA-SHANNN
- fix several issues with update-crypto-policies --check

Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 20210707-2.git29f6c0b

- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688

Wed Jul 07 2021 Alexander Sosedkin <asosedkin@redhat.com> - 20210707-1.git29f6c0b

- gnutls: explicitly enable ECDSA-SECPNNNR1-SHANNN
- packaging: adapt to the RHEL-9 %check-time testing tools availability

Mon Jun 28 2021 Alexander Sosedkin <asosedkin@redhat.com> - 20210628-1.gitdd7d273

- implement scoped policies, e.g., cipher@SSH = ...
- implement algorithm globbing, e.g., cipher@SSH = -*-CBC
- deprecate derived properties:
  tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec
- deprecate unscoped form of protocol property
- openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS
- openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes
- libssh: respect ssh_certs
- restrict FIPS:OSPP further
- improve Python 3.10 compatibility
- update documentation
- expand upstream test coverage
- FUTURE: disable CBC ciphers for all backends but krb5
- openssl: LEGACY must have SECLEVEL=1, enabling SHA1
- disable DHE-DSS in LEGACY
- bump LEGACY key size requirements from 1023 to 1024
- add javasystem backend
- *ssh: condition ecdh-sha2-nistp384 on SECP384R1
- set %verify(not mode) for backend sometimes-symlinks-sometimes-not
- gnutls: use allowlisting