Requirements for crypto deprecation?
jrey at linux.ibm.com
Wed May 13 01:48:54 AEST 2020
Ping. Does anyone have requirements for a BMC admin to be able to
disable cryptographic algorithms that help provide transport layer
security (TLS) for network traffic? For example, if
ECDHE-ECDSA-AES256-GCM-SHA384 was broken , do we need a way to
disable it for HTTPS in operational BMCs?
Note: The list of supported algorithms is compiled into the BMC's
firmware image  and cannot be changed by an admin or shell
commands; it requires reconfiguration of the source code and a the BMC
be updated with a new firmware image.
Is there interest in adding this function, knowing the fallback option
is to update the firmware?
: I am not saying or even hinting this is broken. ;-)
: Similar compile-time config for dropbear SSH server.
More information about the openbmc