English Turkish
Updated cryptography settings
With this update, the default Fedora policy regarding cryptographic components has been updated to disallow the use of algorithms that are no longer considered secure. Specifically, the changes involve:
Require RSA of 2048 bits or more
Disable DSA
Libcurl switches from libssh2 to libssh
With this update, the *libcurl* library switches from using *libssh2* to implement the SSH layer of SCP and SFTP protocols to *libssh*. The reason for the change is that the *libssh2* library uses outdated cryptographic algorithms and lacks important features, such as GSS-API authentication. The newly used *libssh* library is more secure, feature-complete, and with more active upstream community.
NSS uses SQL as default file format
In Fedora 28, the default file format used by the *NSS* library is changed to SQL.
The Network Security Services (NSS) library, which is used by Mozilla Firefox, Gnome Evolution, Mozilla Thunderbird, and other applications, changed its default database format for storing keys, certificates, and trust information. The new database format is based on SQlite and uses the filenames `cert9.db`, `key4.db`, and `pkcs11.txt`. The previous database format used Berkeyley DB (DBM) and filenames `cert8.db`, `key3.db`, and `secmod.db`.
The primary benefit of the SQlite storage is support for concurrent access by multiple applications. When using the previous default file format based on DBM, accidental concurrent access could result in corrupted storage.
Unless an application explicitly requests either the DBM or SQL format, the NSS library will automatically migrate the application's NSS database from the old to the new format. The old database files will not be updated further. Most users should not experience differences in operation. Applications that perform many NSS read/write operations may experience a minor performance decrease. Use the following command to trigger an explicit migration:
certutil -d sql:</path/to/database> -N -f </path/to/database/password/file> \
-@ </path/to/database/password/file>
Users who store their system home or application data directory on a network filesystem are advised to set the `NSS_SDB_USE_CACHE=yes` environment variable prior to starting applications that use NSS. Without setting this environment variable, users of network filesystems may experience a major slowdown with some applications, such as Firefox. The environment variable enables the use of a caching strategy in NSS that works around the slowness of network filesystems. Because this caching strategy causes a performance decrease on fast filesystems.
Additional technical details can be found in the Fedora Wiki: link:https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql[].
Deprecate TCP wrappers
Fedora 28 https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers[removes support] for `tcp_wrappers` (aka `/etc/hosts.deny` access files) by default from all the network daemons and tools. The preferred replacements are software firewalld, nftables rules or software specific access rules for more complex filtering. If your system security depends on `tcp_wrappers` rules, convert them to firewall rules, or set up `tcpd` to do the same job for you.
OpenLDAP switches from NSS to OpenSSL
With this update, the OpenLDAP distribution in Fedora changed from using the *NSS* (or *MozNSS*) library to the *OpenSSL* library for providing cryptographic functions. The switch promises better support from OpenLDAP upstream, which had ceased maintaining the NSS support layer.
OpenLDAP defaults to use only Shared System Certificates
OpenLDAP clients and server now use the https://fedoraproject.org/wiki/Features/SharedSystemCertificates[system-wide certificate store] by default, instead of `/etc/openldap/certs`.