* Requirements for crypto deprecation?
@ 2020-05-12 15:48 Joseph Reynolds
0 siblings, 0 replies; only message in thread
From: Joseph Reynolds @ 2020-05-12 15:48 UTC (permalink / raw)
To: openbmc
Ping. Does anyone have requirements for a BMC admin to be able to
disable cryptographic algorithms that help provide transport layer
security (TLS) for network traffic? For example, if
ECDHE-ECDSA-AES256-GCM-SHA384 was broken [1], do we need a way to
disable it for HTTPS in operational BMCs?
Note: The list of supported algorithms is compiled into the BMC's
firmware image [2][3] and cannot be changed by an admin or shell
commands; it requires reconfiguration of the source code and a the BMC
be updated with a new firmware image.
Is there interest in adding this function, knowing the fallback option
is to update the firmware?
- Joseph
[1]: I am not saying or even hinting this is broken. ;-)
[2]:
https://github.com/openbmc/bmcweb/blob/0185c7f163a850216437be23111e2bfdd874cd11/include/ssl_key_handler.hpp#L336
[3]: Similar compile-time config for dropbear SSH server.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-05-12 15:48 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-12 15:48 Requirements for crypto deprecation? Joseph Reynolds
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.