English Turkish
Additional technical details can be found in the Fedora Wiki: link:https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql[].
certutil -d sql:</path/to/database> -N -f </path/to/database/password/file> \
-@ </path/to/database/password/file>
Deprecate TCP wrappers
Disable DSA
Fedora 28 https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers[removes support] for `tcp_wrappers` (aka `/etc/hosts.deny` access files) by default from all the network daemons and tools. The preferred replacements are software firewalld, nftables rules or software specific access rules for more complex filtering. If your system security depends on `tcp_wrappers` rules, convert them to firewall rules, or set up `tcpd` to do the same job for you.
Fedora 28 replaces authconfig with authselect as the default tool for generating PAM configuration files and nsswitch.conf. On new installations, authselect, together with an authconfig compatibility tool, will be installed by default instead of authconfig. On upgraded installations, authconfig will be replaced with authselect and the compatibility tool but the configuration generated by authconfig will be left intact. The authconfig compatibility tool will be removed from Fedora in a future release. The https://github.com/pbrezina/authselect/tree/master/src/man/authselect-migration.7.txt.in.in[authselect-migration(7)] man page explains how to migrate from authconfig to authselect.
Fedora has https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers[deprecated the use of TCP wrappers]. The OpenLDAP project also https://www.openldap.org/doc/admin24/security.html#TCP%20Wrappers[discourages their use] and recommends that an IP firewall is used instead. With this update, OpenLDAP will not be configured with `--enable-wrappers` and so any TCP wrappers configuration will have no effect on OpenLDAP. Other means should be used to protect the OpenLDAP server.
In Fedora 28, the default file format used by the *NSS* library is changed to SQL.
Libcurl switches from libssh2 to libssh
NSS uses SQL as default file format
OpenLDAP clients and server now use the https://fedoraproject.org/wiki/Features/SharedSystemCertificates[system-wide certificate store] by default, instead of `/etc/openldap/certs`.
OpenLDAP defaults to use only Shared System Certificates
OpenLDAP drops TCP wrappers support
OpenLDAP switches from NSS to OpenSSL
Replace authconfig with authselect
Require RSA of 2048 bits or more
The Network Security Services (NSS) library, which is used by Mozilla Firefox, Gnome Evolution, Mozilla Thunderbird, and other applications, changed its default database format for storing keys, certificates, and trust information. The new database format is based on SQlite and uses the filenames `cert9.db`, `key4.db`, and `pkcs11.txt`. The previous database format used Berkeyley DB (DBM) and filenames `cert8.db`, `key3.db`, and `secmod.db`.
The primary benefit of the SQlite storage is support for concurrent access by multiple applications. When using the previous default file format based on DBM, accidental concurrent access could result in corrupted storage.
Unless an application explicitly requests either the DBM or SQL format, the NSS library will automatically migrate the application's NSS database from the old to the new format. The old database files will not be updated further. Most users should not experience differences in operation. Applications that perform many NSS read/write operations may experience a minor performance decrease. Use the following command to trigger an explicit migration:
Updated cryptography settings