1UPDATE-CRYPTO-POLI(8)                                    UPDATE-CRYPTO-POLI(8)
2
3
4

NAME

6       update-crypto-policies - manage the policies available to the various
7       cryptographic back-ends.
8

SYNOPSIS

10       update-crypto-policies [COMMAND]
11

DESCRIPTION

13       update-crypto-policies(8) is used to set the policy applicable for the
14       various cryptographic back-ends, such as SSL/TLS libraries. That will
15       be the default policy used by these back-ends unless the application
16       user configures them otherwise.
17
18       The available policies are described in the crypto-policies(7) manual
19       page.
20
21       The desired system policy is selected in /etc/crypto-policies/config
22       and this tool will generate the individual policy requirements for all
23       back-ends that support such configuration. After this tool is called
24       the administrator is assured that any application that utilizes the
25       supported back-ends will follow a policy that adheres to the configured
26       profile.
27
28       Note that the above assurance does apply to the extent that
29       applications are configured to follow the default policy (the details
30       vary on the back-end, see below for more information).
31
32       The generated back-end policies will be placed in
33       /etc/crypto-policies/back-ends. Currently the supported back-ends are:
34
35       ·   GnuTLS library
36
37       ·   OpenSSL library
38
39       ·   NSS library
40
41       ·   OpenJDK
42
43       ·   Libkrb5
44
45       ·   BIND
46
47       ·   OpenSSH
48
49       ·   Libreswan
50
51       ·   libssh
52
53       Applications and languages which rely on any of these back-ends will
54       follow the system policies as well. Examples are apache httpd, nginx,
55       php, and others.
56
57       In general after changing the system crypto policies with the
58       update-crypto-policies --set command it is recommended to restart the
59       system for the effect to fully take place as the policy configuration
60       files are loaded on application start-up. Otherwise applications
61       started before the command was run need to be restarted to load the
62       updated configuration.
63

COMMANDS

65       The following commands are available in update-crypto-policies tool.
66
67       ·   --show: Shows the currently applied crypto policy
68
69       ·   --is-applied: Returns success if the currently configured policy is
70           already applied.
71
72       ·   --set: Sets the current policy and overwrites the config file.
73

OPTIONS

75       The following options are available in update-crypto-policies tool.
76
77       ·   --no-check: By default this tool does a sanity check on whether the
78           configured policy is accepted by the supported tools. This option
79           disables those checks.
80
81       ·   --no-reload: By default this tool causes some running applications
82           to reload the configured policy. This option skips the reloading.
83

APPLICATION SUPPORT

85       Applications in the operating system that provide a default
86       configuration file that includes a cryptographic policy string will be
87       modified gradually to support these policies.
88
89       When an application provides a configuration file, the changes needed
90       to utilize the system-wide policy are the following.
91
92       ·   Applications using OpenSSL: If an application allows the
93           configuration of ciphersuite string, the special cipher string
94           "PROFILE=SYSTEM" should replace any other cipher string.
95           Applications which use the default library settings automatically
96           adhere to the policy. Applications following the policy inherit the
97           settings for cipher suite preference. By default the OpenSSL
98           library reads a configuration file when it is initialized. If the
99           applicaton does not override loading of the configuration file, the
100           policy also sets the minimum TLS protocol version and default
101           cipher suite preference via this file. If the application is
102           long-running such as the httpd server it has to be restarted to
103           reload the configuration file after policy is changed. Otherwise
104           the changed policy cannot take effect.
105
106       ·   Applications using GnuTLS: Applications using GnuTLS will load the
107           crypto policies by default. To prevent applications from adhering
108           to the policy the GNUTLS_SYSTEM_PRIORITY_FILE environment variable
109           must be set on an empty file (e.g., /dev/null). The policy covers
110           the settings for cipher suite preference, TLS and DTLS protocol
111           versions, allowed elliptic curves, and limits for cryptographic
112           keys.
113
114       ·   Applications using NSS: Applications using NSS will load the crypto
115           policies by default. They inherit the settings for cipher suite
116           preference, TLS and DTLS protocol versions, allowed elliptic
117           curves, and limits for cryptographic keys. To prevent applications
118           from adhering to the policy the NSS_IGNORE_SYSTEM_POLICY
119           environment variable must be set to 1 prior to executing that
120           application.
121
122       ·   Applications using Java: No special treatment is required.
123           Applications using Java will load the crypto policies by default.
124           These applications will then inherit the settings for allowed
125           cipher suites, allowed TLS and DTLS protocol versions, allowed
126           elliptic curves, and limits for cryptographic keys. To prevent
127           openjdk applications from adhering to the policy the
128           <java.home>/jre/lib/security/java.security file should be edited to
129           contain security.useSystemPropertiesFile=false. Alternatively one
130           can create a file containing the overridden values for
131           jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms and
132           pass the location of that file to Java on the command line using
133           the -Djava.security.properties=<path to file>.
134
135       ·   Applications using libkrb5: No special treatment is required.
136           Applications will follow the crypto policies by default. These
137           applications inherit the settings for the permitted encryption
138           types for tickets as well as the cryptographic key limits for the
139           PKINIT protocol. A system-wide opt-out is available by deleting the
140           /etc/krb5.conf.d/crypto-policies link.
141
142       ·   BIND: This application inherits the set of blacklisted algorithms.
143           To opt-out from the policy, remove the policy include directive in
144           the named.conf file.
145
146       ·   OpenSSH: Both server and client application inherits the cipher
147           preferences, the key exchange algorithms as well as the GSSAPI key
148           exchange algorithms. To opt-out from the policy for client,
149           override the global ssh_config with a user-specific configuration
150           in ~/.ssh/config. See ssh_config(5) for more information. To
151           opt-out from the policy for server, uncomment the line containing
152           CRYPTO_POLICY= in /etc/sysconfig/sshd .
153
154       ·   Libreswan: Both servers and clients inherit the ESP and IKE
155           preferences, if they are not overriden in the connection
156           configuration file. Note that due to limitations of libreswan,
157           crypto policies is restricted to supporting IKEv2. To opt-out from
158           the policy, comment the line including
159           /etc/crypto-policies/back-ends/libreswan.config from
160           /etc/ipsec.conf.
161
162       ·   Applications using libssh: Both client and server applications
163           using libssh will load the crypto policies by default. They inherit
164           the ciphers, key exchange, message authentication, and signature
165           algorithms preferences.
166

POLICY CONFIGURATION

168       One of the supported profiles should be set in
169       /etc/crypto-policies/config and this script should be run afterwards.
170
171       In case of a parsing error no policies will be updated.
172

CUSTOM POLICIES

174       The custom policies can take two forms. First form is a full custom
175       policy file which is supported by the update-crypto-policies tool in
176       the same way as the policies shipped along the tool in the package.
177
178       The second form can be called a subpolicy or policy modifier. This form
179       modifies aspects of any base policy file by removing or adding
180       algorithms or protocols. The subpolicies can be appended on the
181       update-crypto-policies --set command line to the base policy separated
182       by the : character. There can be multiple subpolicies appended.
183
184       Let’s suppose we have subpolicy NO-SHA1 that drops support for SHA1
185       hash and subpolicy GOST that enables support for the various algorithms
186       specified in Russian GOST standards. You can set the DEFAULT policy
187       with disabled SHA1 support and enabled GOST support by running the
188       following command:
189
190       update-crypto-policies --set DEFAULT:NO-SHA1:GOST
191
192       This command generates and applies configuration that will be
193       modification of the DEFAULT policy with changes specified in the
194       NO-SHA1 and GOST subpolicies.
195

FILES

197       /etc/crypto-policies/config
198           The file contains the current system policy. It should contain a
199           string of one of the profiles listed in the crypto-policies(7) page
200           (e.g., DEFAULT).
201
202       /etc/crypto-policies/back-ends
203           Contains the generated policies in separated files, and in a format
204           readable by the supported back ends.
205
206       /etc/crypto-policies/local.d
207           Contains additional files to be appended to the generated policy
208           files. The files present must adhere to $app-XXX.config file
209           naming, where XXX is any arbitrary identifier. For example, to
210           append a line to GnuTLS' generated policy, create a
211           gnutls-extra-line.config file in local.d. This will be appended to
212           the generated gnutls.config during update-crypto-policies. These
213           overrides, are only functional for the gnutls, bind, java (openjdk)
214           and krb5 back-ends.
215

SEE ALSO

217       crypto-policies(7), fips-mode-setup(8)
218

AUTHOR

220       Written by Nikos Mavrogiannopoulos.
221
222
223
224update-crypto-policies            01/28/2020             UPDATE-CRYPTO-POLI(8)
Impressum