[ZendTo] Installing Zendto on RHEL 9 with Security Profile

Orion Poplawski orion at nwra.com
Thu Mar 2 17:59:10 GMT 2023 

On 1/3/23 12:09, Brad Beckenhauer via ZendTo wrote:
> I build a test RHEL 9 server using the following Red Hat security profile:
> 
> "Protection Profile for General Purpose Operating Systems"
> This profile is part of Red Hat Enterprise Linux 9 Common Criteria Guidance
> documenation for Target of Evaluation based on Protection Profile for
> General Purpose Operating System (OSPP) version 4.2.1 and Functional
> Package for SSH version 1.0
> 
> I was going to test using Zendto using this profile, but when attempting to
> setup the yum repository:
> 
> rpm --import https://zend.to/files/zendto.gpg.asc
> 
> This error occurs:
> warning: Signature not supported.  Hash algorithm SHA1 not available.
> error: https://zend.to/files/zendto.gpg.asc: key 1 import failed.
> 
> $ /usr/bin/openssl ciphers -V
>           0x13,0x02 - TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any    
>  Au=any   Enc=AESGCM(256)            Mac=AEAD
>           0x13,0x01 - TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any    
>  Au=any   Enc=AESGCM(128)            Mac=AEAD
>           0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH    
> Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
>           0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH    
> Au=RSA   Enc=AESGCM(256)            Mac=AEAD
>           0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2 Kx=ECDH    
> Au=ECDSA Enc=AESGCM(128)            Mac=AEAD
>           0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2 Kx=ECDH    
> Au=RSA   Enc=AESGCM(128)            Mac=AEAD
>           0x00,0x9F - DHE-RSA-AES256-GCM-SHA384      TLSv1.2 Kx=DH      
> Au=RSA   Enc=AESGCM(256)            Mac=AEAD
>           0x00,0x9E - DHE-RSA-AES128-GCM-SHA256      TLSv1.2 Kx=DH      
> Au=RSA   Enc=AESGCM(128)            Mac=AEAD
>           0x00,0xA9 - PSK-AES256-GCM-SHA384          TLSv1.2 Kx=PSK    
>  Au=PSK   Enc=AESGCM(256)            Mac=AEAD
>           0x00,0xA8 - PSK-AES128-GCM-SHA256          TLSv1.2 Kx=PSK    
>  Au=PSK   Enc=AESGCM(128)            Mac=AEAD
>           0x00,0xAB - DHE-PSK-AES256-GCM-SHA384      TLSv1.2 Kx=DHEPSK  
> Au=PSK   Enc=AESGCM(256)            Mac=AEAD
>           0x00,0xAA - DHE-PSK-AES128-GCM-SHA256      TLSv1.2 Kx=DHEPSK  
> Au=PSK   Enc=AESGCM(128)            Mac=AEAD
> 
> So the protection profile eliminated the SHA1 algorithm.
> 
> Is another cipher or option available that can be used to setup the yum
> repository?

ZendTo is going to need to produce a new GPG key with modern algorithms.


-- 
Orion Poplawski
IT Systems Manager                         720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3847 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://jul.es/pipermail/zendto/attachments/20230302/e2bd09f3/attachment-0001.p7s>

More information about the ZendTo mailing list