Changelog for
crypto-policies-20240202-1.git283706d.el9.noarch.rpm :
* Fri Feb 02 2024 Alexander Sosedkin
- 20240202-1.git283706d- fips-finish-install: make sure ostree is detected in chroot- fips-mode-setup: make sure ostree is detected in chroot- fips-finish-install: Create/remove /etc/system-fips on ostree systems- java: disable ChaCha20-Poly1305 where applicable
* Mon Nov 13 2023 Clemens Lang - 20231113-1.gite9247c2- fips-mode-setup: Fix test for empty /boot (RHEL-11350)- fips-mode-setup: Avoid \'boot=UUID=\' if /boot == / (RHEL-11350)
* Thu Nov 09 2023 Clemens Lang - 20231109-1.git0ceff7f- Restore support for scoped ssh_etm directives (RHEL-15925)- Print matches in syntax deprecation warnings (RHEL-15925)
* Wed Nov 08 2023 Clemens Lang - 20231108-1.git994ae09- turn ssh_etm into an etmAATTSSH tri-state (RHEL-15925)- fips-mode-setup: increase chroot-friendliness (RHEL-11350)- fips-mode-setup: Fix usage with --no-bootcfg (RHEL-11350)
* Mon Oct 16 2023 Alexander Sosedkin - 20231016-1.git77ceb0b- openssl: fix SHA1 and NO-ENFORCE-EMS interaction- bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx
* Wed Sep 20 2023 Alexander Sosedkin - 20230920-1.git8dcf74d- OSPP subpolicy: tighten beyond reason for OSPP 4.3- fips-mode-setup: more thorough --disable, still unsupported
* Mon Jul 31 2023 Alexander Sosedkin - 20230731-1.git94f0e2c- krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones- FIPS: enforce EMS in FIPS mode- NO-ENFORCE-EMS: add subpolicy to undo the EMS enforcement in FIPS mode- nss: implement EMS enforcement in FIPS mode (disabled in ELN)- openssl: implement EMS enforcement in FIPS mode- gnutls: implement EMS enforcement in FIPS mode (disabled in ELN)- docs: replace `FIPS 140-2` with just `FIPS 140`
* Wed Jun 14 2023 Alexander Sosedkin - 20230614-1.git027799d- policies: restore group order to old OpenSSL default order
* Fri May 05 2023 Alexander Sosedkin - 20230505-1.gitf69bbc2- openssl: set Groups explicitly- openssl: add support for Brainpool curves
* Thu Dec 15 2022 Alexander Sosedkin - 20221215-1.git9a18988- bind: expand the list of disableable algorithms
* Mon Oct 03 2022 Alexander Sosedkin - 20221003-1.git04dee29- openssh: rename RSAMinSize option to RequiredRSASize
* Mon Aug 15 2022 Alexander Sosedkin - 20220815-1.git0fbe86f- openssh: add RSAMinSize option following min_rsa_size
* Wed Apr 27 2022 Alexander Sosedkin - 20220427-1.gitb2323a1- bind: control ED25519/ED448
* Mon Apr 04 2022 Alexander Sosedkin - 20220404-1.git845c0c1- DEFAULT: drop DNSSEC SHA-1 exception- openssh: add support for sntrup761x25519-sha512AATTopenssh.com
* Wed Feb 23 2022 Alexander Sosedkin - 20220223-1.git5203b41- openssl: allow SHA-1 signatures with rh-allow-sha1-signatures in LEGACY- update AD-SUPPORT, move RC4 enctype enabling to AD-SUPPORT-LEGACY- fips-mode-setup: catch more inconsistencies, clarify --check
* Thu Feb 03 2022 Alexander Sosedkin - 20220203-1.gitf03e75e- gnutls: enable SHAKE, needed for Ed448- fips-mode-setup: improve handling FIPS plus subpolicies- FIPS: disable SHA-1 HMAC- FIPS: disable CBC ciphers except in Kerberos