From BBecken at aafp.org  Tue Jan  3 19:09:34 2023
From: BBecken at aafp.org (Brad Beckenhauer)
Date: Tue, 3 Jan 2023 19:09:34 +0000
Subject: [ZendTo] Installing Zendto on RHEL 9 with Security Profile
References: <MW4PR15MB5231F2080B5E8C9CC4F61A86DEF49@MW4PR15MB5231.namprd15.prod.outlook.com>
Message-ID: <WM!138cdda7a28095622d91b89785335ee60d61600c5eeeb9b0dfe830ecdd1aa2625bbeeffc6bc0598398c318024f78c236!@mx.jul.es>

I build a test RHEL 9 server using the following Red Hat security profile:

"Protection Profile for General Purpose Operating Systems"
This profile is part of Red Hat Enterprise Linux 9 Common Criteria Guidance
documenation for Target of Evaluation based on Protection Profile for
General Purpose Operating System (OSPP) version 4.2.1 and Functional
Package for SSH version 1.0

I was going to test using Zendto using this profile, but when attempting to setup the yum repository:

rpm --import https://zend.to/files/zendto.gpg.asc

This error occurs:
warning: Signature not supported.  Hash algorithm SHA1 not available.
error: https://zend.to/files/zendto.gpg.asc: key 1 import failed.

$ /usr/bin/openssl ciphers -V
          0x13,0x02 - TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
          0x13,0x01 - TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
          0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
          0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(256)            Mac=AEAD
          0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128)            Mac=AEAD
          0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2 Kx=ECDH     Au=RSA   Enc=AESGCM(128)            Mac=AEAD
          0x00,0x9F - DHE-RSA-AES256-GCM-SHA384      TLSv1.2 Kx=DH       Au=RSA   Enc=AESGCM(256)            Mac=AEAD
          0x00,0x9E - DHE-RSA-AES128-GCM-SHA256      TLSv1.2 Kx=DH       Au=RSA   Enc=AESGCM(128)            Mac=AEAD
          0x00,0xA9 - PSK-AES256-GCM-SHA384          TLSv1.2 Kx=PSK      Au=PSK   Enc=AESGCM(256)            Mac=AEAD
          0x00,0xA8 - PSK-AES128-GCM-SHA256          TLSv1.2 Kx=PSK      Au=PSK   Enc=AESGCM(128)            Mac=AEAD
          0x00,0xAB - DHE-PSK-AES256-GCM-SHA384      TLSv1.2 Kx=DHEPSK   Au=PSK   Enc=AESGCM(256)            Mac=AEAD
          0x00,0xAA - DHE-PSK-AES128-GCM-SHA256      TLSv1.2 Kx=DHEPSK   Au=PSK   Enc=AESGCM(128)            Mac=AEAD

So the protection profile eliminated the SHA1 algorithm.

Is another cipher or option available that can be used to setup the yum repository?

Cheers
Brad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20230103/e4aa955a/attachment-0001.html>