1UPDATE-CRYPTO-POLI(8)                                    UPDATE-CRYPTO-POLI(8)
2
3
4

NAME

6       update-crypto-policies - manage the policies available to the various
7       cryptographic back-ends.
8

SYNOPSIS

10       update-crypto-policies [COMMAND]
11

DESCRIPTION

13       update-crypto-policies(8) is used to set the policy applicable for the
14       various cryptographic back-ends, such as SSL/TLS libraries. That will
15       be the default policy used by these back-ends unless the application
16       user configures them otherwise.
17
18       The available policies are described in the crypto-policies(7) manual
19       page.
20
21       The desired system policy is selected in /etc/crypto-policies/config
22       and this tool will generate the individual policy requirements for all
23       back-ends that support such configuration. After this tool is called
24       the administrator is assured that any application that utilizes the
25       supported back-ends will follow a policy that adheres to the configured
26       profile.
27
28       Note that the above assurance does apply to the extent that
29       applications are configured to follow the default policy (the details
30       vary on the back-end, see below for more information).
31
32       The generated back-end policies will be placed in
33       /etc/crypto-policies/back-ends. Currently the supported back-ends are:
34
35       ·   GnuTLS library
36
37       ·   OpenSSL library
38
39       ·   NSS library
40
41       ·   OpenJDK
42
43       ·   Libkrb5
44
45       ·   BIND
46
47       ·   OpenSSH
48
49       ·   Libreswan
50
51       Applications and languages which rely on any of these back-ends will
52       follow the system policies as well. Examples are apache httpd, nginx,
53       php, and others.
54
55       In general after changing the system crypto policies with the
56       update-crypto-policies --set command it is recommended to restart the
57       system for the effect to fully take place as the policy configuration
58       files are loaded on application start-up. Otherwise applications
59       started before the command was run need to be restarted to load the
60       updated configuration.
61

COMMANDS

63       The following commands are available in update-crypto-policies tool.
64
65       ·   --show: Shows the currently applied crypto policy
66
67       ·   --is-applied: Returns success if the currently configured policy is
68           already applied.
69
70       ·   --set: Sets the current policy and overwrites the config file.
71

OPTIONS

73       The following options are available in update-crypto-policies tool.
74
75       ·   --no-check: By default this tool does a sanity check on whether the
76           configured policy is accepted by the supported tools. This option
77           disables those checks.
78
79       ·   --no-reload: By default this tool causes some running applications
80           to reload the configured policy. This option skips the reloading.
81

APPLICATION SUPPORT

83       Applications in the operating system that provide a default
84       configuration file that includes a cryptographic policy string will be
85       modified gradually to support these policies.
86
87       When an application provides a configuration file, the changes needed
88       to utilize the system-wide policy are the following.
89
90       ·   Applications using GnuTLS: If an application allows the
91           configuration of cipher priotities via a string, the special
92           priority string "@SYSTEM" should replace any other priority string.
93           Applications which use the default library settings automatically
94           adhere to the policy. Applications following the policy inherit the
95           settings for cipher suite preference, TLS and DTLS protocol
96           versions, allowed elliptic curves, and limits for cryptographic
97           keys.
98
99       ·   Applications using OpenSSL: If an application allows the
100           configuration of ciphersuite string, the special cipher string
101           "PROFILE=SYSTEM" should replace any other cipher string.
102           Applications which use the default library settings automatically
103           adhere to the policy. Applications following the policy inherit the
104           settings for cipher suite preference. By default the OpenSSL
105           library reads a configuration file when it is initialized. If the
106           applicaton does not override loading of the configuration file, the
107           policy also sets the minimum TLS protocol version and default
108           cipher suite preference via this file. If the application is
109           long-running such as the httpd server it has to be restarted to
110           reload the configuration file after policy is changed. Otherwise
111           the changed policy cannot take effect.
112
113       ·   Applications using NSS: Applications using NSS will load the crypto
114           policies by default. They inherit the settings for cipher suite
115           preference, TLS and DTLS protocol versions, allowed elliptic
116           curves, and limits for cryptographic keys. Note that unlike OpenSSL
117           and GnuTLS, the NSS policy is enforced by default; to prevent
118           applications from adhering to the policy the
119           NSS_IGNORE_SYSTEM_POLICY environment variable must be set to 1
120           prior to executing that application.
121
122       ·   Applications using Java: No special treatment is required.
123           Applications using Java will load the crypto policies by default.
124           These applications will then inherit the settings for allowed
125           cipher suites, allowed TLS and DTLS protocol versions, allowed
126           elliptic curves, and limits for cryptographic keys. To prevent
127           openjdk applications from adhering to the policy the
128           <java.home>/jre/lib/security/java.security file should be edited to
129           contain security.useSystemPropertiesFile=false. Alternatively one
130           can create a file containing the overridden values for
131           jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms and
132           pass the location of that file to Java on the command line using
133           the -Djava.security.properties=<path to file>.
134
135       ·   Applications using libkrb5: No special treatment is required.
136           Applications will follow the crypto policies by default. These
137           applications inherit the settings for the permitted encryption
138           types for tickets as well as the cryptographic key limits for the
139           PKINIT protocol. A system-wide opt-out is available by deleting the
140           /etc/krb5.conf.d/crypto-policies link.
141
142       ·   BIND: This application inherits the set of blacklisted algorithms.
143           To opt-out from the policy, remove the policy include directive in
144           the named.conf file.
145
146       ·   OpenSSH: Both server and client application inherits the cipher
147           preferences, the key exchange algorithms as well as the GSSAPI key
148           exchange algorithms. To opt-out from the policy for client,
149           override the global ssh_config with a user-specific configuration
150           in ~/.ssh/config. See ssh_config(5) for more information. To
151           opt-out from the policy for server, uncomment the line containing
152           CRYPTO_POLICY= in /etc/sysconfig/sshd .
153
154       ·   Libreswan: Both servers and clients inherit the ESP and IKE
155           preferences, if they are not overriden in the connection
156           configuration file. Note that due to limitations of libreswan,
157           crypto policies is restricted to supporting IKEv2. To opt-out from
158           the policy, comment the line including
159           /etc/crypto-policies/back-ends/libreswan.config from
160           /etc/ipsec.conf.
161

POLICY CONFIGURATION

163       One of the supported profiles should be set in
164       /etc/crypto-policies/config and this script should be run afterwards.
165
166       In case of a parsing error no policies will be updated.
167

FILES

169       /etc/crypto-policies/config
170           The file contains the current system policy. It should contain a
171           string of one of the profiles listed in the crypto-policies(7) page
172           (e.g., DEFAULT).
173
174       /etc/crypto-policies/back-ends
175           Contains the generated policies in separated files, and in a format
176           readable by the supported back ends.
177
178       /etc/crypto-policies/local.d
179           Contains additional files to be appended to the generated policy
180           files. The files present must adhere to $app-XXX.config file
181           naming, where XXX is any arbitrary identifier. For example, to
182           append a line to GnuTLS' generated policy, create a
183           gnutls-extra-line.config file in local.d. This will be appended to
184           the generated gnutls.config during update-crypto-policies. These
185           overrides, are only functional for the gnutls, bind, java (openjdk)
186           and krb5 back-ends.
187

SEE ALSO

189       crypto-policies(7), fips-mode-setup(8)
190

AUTHOR

192       Written by Nikos Mavrogiannopoulos.
193
194
195
196update-crypto-policies            05/11/2019             UPDATE-CRYPTO-POLI(8)
Impressum