1UPDATE-CRYPTO-POLI(8) UPDATE-CRYPTO-POLI(8)
2
6 update-crypto-policies - manage the policies available to the various
7 cryptographic back-ends.
8
10 update-crypto-policies [COMMAND]
11
13 update-crypto-policies(8) is used to set the policy applicable for the
14 various cryptographic back-ends, such as SSL/TLS libraries. That will
15 be the default policy used by these back-ends unless the application
16 user configures them otherwise.
17 The available policies are described in the crypto-policies(7) manual
19 page.
20 The desired system policy is selected in /etc/crypto-policies/config
22 and this tool will generate the individual policy requirements for all
23 back-ends that support such configuration. After this tool is called
24 the administrator is assured that any application that utilizes the
25 supported back-ends will follow a policy that adheres to the configured
26 profile.
27 Note that the above assurance does apply to the extent that
29 applications are configured to follow the default policy (the details
30 vary on the back-end, see below for more information).
31 The generated back-end policies will be placed in
33 /etc/crypto-policies/back-ends. Currently the supported back-ends are:
34 · GnuTLS library
36 · OpenSSL library
38 · NSS library
40 · OpenJDK
42 · Libkrb5
44 · BIND
46 · OpenSSH
48 · Libreswan
50 · libssh
52 Applications and languages which rely on any of these back-ends will
54 follow the system policies as well. Examples are apache httpd, nginx,
55 php, and others.
56 In general after changing the system crypto policies with the
58 update-crypto-policies --set command it is recommended to restart the
59 system for the effect to fully take place as the policy configuration
60 files are loaded on application start-up. Otherwise applications
61 started before the command was run need to be restarted to load the
62 updated configuration.
63
65 The following commands are available in update-crypto-policies tool.
66 · --show: Shows the currently applied crypto policy
68 · --is-applied: Returns success if the currently configured policy is
70 already applied.
71 · --set: Sets the current policy and overwrites the config file.
73
75 The following options are available in update-crypto-policies tool.
76 · --no-check: By default this tool does a sanity check on whether the
78 configured policy is accepted by the supported tools. This option
79 disables those checks.
80 · --no-reload: By default this tool causes some running applications
82 to reload the configured policy. This option skips the reloading.
83
85 Applications in the operating system that provide a default
86 configuration file that includes a cryptographic policy string will be
87 modified gradually to support these policies.
88 When an application provides a configuration file, the changes needed
90 to utilize the system-wide policy are the following.
91 · Applications using OpenSSL: If an application allows the
93 configuration of ciphersuite string, the special cipher string
94 "PROFILE=SYSTEM" should replace any other cipher string.
95 Applications which use the default library settings automatically
96 adhere to the policy. Applications following the policy inherit the
97 settings for cipher suite preference. By default the OpenSSL
98 library reads a configuration file when it is initialized. If the
99 applicaton does not override loading of the configuration file, the
100 policy also sets the minimum TLS protocol version and default
101 cipher suite preference via this file. If the application is
102 long-running such as the httpd server it has to be restarted to
103 reload the configuration file after policy is changed. Otherwise
104 the changed policy cannot take effect.
105 · Applications using GnuTLS: Applications using GnuTLS will load the
107 crypto policies by default. To prevent applications from adhering
108 to the policy the GNUTLS_SYSTEM_PRIORITY_FILE environment variable
109 must be set on an empty file (e.g., /dev/null). The policy covers
110 the settings for cipher suite preference, TLS and DTLS protocol
111 versions, allowed elliptic curves, and limits for cryptographic
112 keys.
113 · Applications using NSS: Applications using NSS will load the crypto
115 policies by default. They inherit the settings for cipher suite
116 preference, TLS and DTLS protocol versions, allowed elliptic
117 curves, and limits for cryptographic keys. To prevent applications
118 from adhering to the policy the NSS_IGNORE_SYSTEM_POLICY
119 environment variable must be set to 1 prior to executing that
120 application.
121 · Applications using Java: No special treatment is required.
123 Applications using Java will load the crypto policies by default.
124 These applications will then inherit the settings for allowed
125 cipher suites, allowed TLS and DTLS protocol versions, allowed
126 elliptic curves, and limits for cryptographic keys. To prevent
127 openjdk applications from adhering to the policy the
128 <java.home>/jre/lib/security/java.security file should be edited to
129 contain security.useSystemPropertiesFile=false. Alternatively one
130 can create a file containing the overridden values for
131 jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms and
132 pass the location of that file to Java on the command line using
133 the -Djava.security.properties=<path to file>.
134 · Applications using libkrb5: No special treatment is required.
136 Applications will follow the crypto policies by default. These
137 applications inherit the settings for the permitted encryption
138 types for tickets as well as the cryptographic key limits for the
139 PKINIT protocol. A system-wide opt-out is available by deleting the
140 /etc/krb5.conf.d/crypto-policies link.
141 · BIND: This application inherits the set of blacklisted algorithms.
143 To opt-out from the policy, remove the policy include directive in
144 the named.conf file.
145 · OpenSSH: Both server and client application inherits the cipher
147 preferences, the key exchange algorithms as well as the GSSAPI key
148 exchange algorithms. To opt-out from the policy for client,
149 override the global ssh_config with a user-specific configuration
150 in ~/.ssh/config. See ssh_config(5) for more information. To
151 opt-out from the policy for server, uncomment the line containing
152 CRYPTO_POLICY= in /etc/sysconfig/sshd .
153 · Libreswan: Both servers and clients inherit the ESP and IKE
155 preferences, if they are not overriden in the connection
156 configuration file. Note that due to limitations of libreswan,
157 crypto policies is restricted to supporting IKEv2. To opt-out from
158 the policy, comment the line including
159 /etc/crypto-policies/back-ends/libreswan.config from
160 /etc/ipsec.conf.
161 · Applications using libssh: Both client and server applications
163 using libssh will load the crypto policies by default. They inherit
164 the ciphers, key exchange, message authentication, and signature
165 algorithms preferences.
166
168 One of the supported profiles should be set in
169 /etc/crypto-policies/config and this script should be run afterwards.
170 In case of a parsing error no policies will be updated.
172
174 The custom policies can take two forms. First form is a full custom
175 policy file which is supported by the update-crypto-policies tool in
176 the same way as the policies shipped along the tool in the package.
177 The second form can be called a subpolicy or policy modifier. This form
179 modifies aspects of any base policy file by removing or adding
180 algorithms or protocols. The subpolicies can be appended on the
181 update-crypto-policies --set command line to the base policy separated
182 by the : character. There can be multiple subpolicies appended.
183 Let’s suppose we have subpolicy NO-SHA1 that drops support for SHA1
185 hash and subpolicy GOST that enables support for the various algorithms
186 specified in Russian GOST standards. You can set the DEFAULT policy
187 with disabled SHA1 support and enabled GOST support by running the
188 following command:
189 update-crypto-policies --set DEFAULT:NO-SHA1:GOST
191 This command generates and applies configuration that will be
193 modification of the DEFAULT policy with changes specified in the
194 NO-SHA1 and GOST subpolicies.
195
197 /etc/crypto-policies/config
198 The file contains the current system policy. It should contain a
199 string of one of the profiles listed in the crypto-policies(7) page
200 (e.g., DEFAULT).
201 /etc/crypto-policies/back-ends
203 Contains the generated policies in separated files, and in a format
204 readable by the supported back ends.
205 /etc/crypto-policies/local.d
207 Contains additional files to be appended to the generated policy
208 files. The files present must adhere to $app-XXX.config file
209 naming, where XXX is any arbitrary identifier. For example, to
210 append a line to GnuTLS' generated policy, create a
211 gnutls-extra-line.config file in local.d. This will be appended to
212 the generated gnutls.config during update-crypto-policies. These
213 overrides, are only functional for the gnutls, bind, java (openjdk)
214 and krb5 back-ends.
215
217 crypto-policies(7), fips-mode-setup(8)
218
220 Written by Nikos Mavrogiannopoulos.
221update-crypto-policies 12/16/2019 UPDATE-CRYPTO-POLI(8)