Provide a configuration file
The approach of gnutls is to deprecate deprecate algorithms like SHA1 in the library, and change TLS settings on various versions which improve the security. However there are cases which these items are handled on the operating system level (e.g., fedora crypto-policies), and as such it would be beneficial to allow such settings to switch system-wide.
Currently we only provide a way to create application-specific or system-specific priority strings and modify the default priority string set with gnutls_set_default_priority
; this only affects a subset of applications that use gnutls (i.e., not the ones that specifically set a priority string).
We should enhance the currently provided configuration file (system priority file), to be able to configure:
-
Mark insecure signature algorithms for certificates -
Mark insecure signature algorithms -
Mark insecure hash algorithms -
Mark disallowed curves -
Set global TLS options which no application could override; this should include -
disallowed TLS versions -
disallowed ciphers -
disallowed MACs -
disallowed groups -
minimum verification profile (includes DH parameter limit and RSA key limits) -
disallowed key exchanges
-
This should not allow a configuration to weaker the default gnutls policy, so that it is not used as an attack vector for the system.
c.f., inih