Chapter 48. Security
USBGuard
enables blocking USB devices while the screen is locked as a Technology Preview
With the
USBGuard
framework, you can influence how an already running usbguard-daemon
instance handles newly inserted USB devices by setting the value of the InsertedDevicePolicy
runtime parameter. This functionality is provided as a Technology Preview, and the default choice is to apply the policy rules to figure out whether to authorize the device or not.
See the
Blocking USB devices while the screen is locked
Knowledge Base article: https://access.redhat.com/articles/3230621 (BZ#1480100)
pk12util
can now import certificates signed with RSA-PSS
The
pk12util
tool now provides importing a certificate signed with the RSA-PSS
algorithm as a Technology Preview.
Note that if the corresponding private key is imported and has the
PrivateKeyInfo.privateKeyAlgorithm
field that restricts the signing algorithm to RSA-PSS
, it is ignored when importing the key to a browser. See https://bugzilla.mozilla.org/show_bug.cgi?id=1413596 for more information. (BZ#1431210)
Support for certificates signed with RSA-PSS
in certutil
has been improved
Support for certificates signed with the
RSA-PSS
algorithm in the certutil
tool has been improved. Notable enhancements and fixes include:
- The
--pss
option is now documented. - The
PKCS#1 v1.5
algorithm is no longer used for self-signed signatures when a certificate is restricted to useRSA-PSS
. - Empty
RSA-PSS
parameters in thesubjectPublicKeyInfo
field are no longer printed as invalid when listing certificates. - The
--pss-sign
option for creating regular RSA certificates signed with theRSA-PSS
algorithm has been added.
Support for certificates signed with
RSA-PSS
in certutil
is provided as a Technology Preview. (BZ#1425514)
NSS
is now able to verify RSA-PSS
signatures on certificates
With the new version of the nss package, the
Network Security Services
(NSS) libraries now provide verifying RSA-PSS
signatures on certificates as a Technology Preview. Prior to this update, clients using NSS
as the SSL
backend were not able to establish a TLS
connection to a server that offered only certificates signed with the RSA-PSS
algorithm.
Note that the functionality has the following limitations:
- The algorithm policy settings in the
/etc/pki/nss-legacy/rhel7.config
file do not apply to the hash algorithms used inRSA-PSS
signatures. RSA-PSS
parameters restrictions between certificate chains are ignored and only a single certificate is taken into account. (BZ#1432142)
SECCOMP can be now enabled in libreswan
As a Technology Preview, the
seccomp=enabled|tolerant|disabled
option has been added to the ipsec.conf
configuration file, which makes it possible to use the Secure Computing mode (SECCOMP). This improves the syscall security by whitelisting all the system calls that Libreswan
is allowed to execute. For more information, see the ipsec.conf(5)
man page. (BZ#1375750)