1UPDATE-CRYPTO-POLI(8)                                    UPDATE-CRYPTO-POLI(8)
2
3
4

NAME

6       update-crypto-policies - manage the policies available to the various
7       cryptographic back-ends.
8

SYNOPSIS

10       update-crypto-policies [COMMAND]
11

DESCRIPTION

13       update-crypto-policies(8) is used to set the policy applicable for the
14       various cryptographic back-ends, such as SSL/TLS libraries. That will
15       be the default policy used by these back-ends unless the application
16       user configures them otherwise.
17
18       The available policies are described in the crypto-policies(7) manual
19       page.
20
21       The desired system policy is selected in /etc/crypto-policies/config
22       and this tool will generate the individual policy requirements for all
23       back-ends that support such configuration. After this tool is called
24       the administrator is assured that any application that utilizes the
25       supported back-ends will follow a policy that adheres to the configured
26       profile.
27
28       Note that the above assurance does apply to the extent that
29       applications are configured to follow the default policy (the details
30       vary on the back-end, see below for more information).
31
32       The generated back-end policies will be placed in
33       /etc/crypto-policies/back-ends. Currently the supported back-ends are:
34
35       ·   GnuTLS library
36
37       ·   OpenSSL library
38
39       ·   NSS library
40
41       ·   OpenJDK
42
43       ·   Libkrb5
44
45       ·   BIND
46
47       ·   OpenSSH
48
49       ·   Libreswan
50
51       ·   libssh
52
53       Applications and languages which rely on any of these back-ends will
54       follow the system policies as well. Examples are apache httpd, nginx,
55       php, and others.
56
57       In general after changing the system crypto policies with the
58       update-crypto-policies --set command it is recommended to restart the
59       system for the effect to fully take place as the policy configuration
60       files are loaded on application start-up. Otherwise applications
61       started before the command was run need to be restarted to load the
62       updated configuration.
63

COMMANDS

65       The following commands are available in update-crypto-policies tool.
66
67       ·   --show: Shows the currently applied crypto policy
68
69       ·   --is-applied: Returns success if the currently configured policy is
70           already applied.
71
72       ·   --set: Sets the current policy and overwrites the config file.
73

OPTIONS

75       The following options are available in update-crypto-policies tool.
76
77       ·   --no-check: By default this tool does a sanity check on whether the
78           configured policy is accepted by the supported tools. This option
79           disables those checks.
80
81       ·   --no-reload: By default this tool causes some running applications
82           to reload the configured policy. This option skips the reloading.
83

APPLICATION SUPPORT

85       Applications in the operating system that provide a default
86       configuration file that includes a cryptographic policy string will be
87       modified gradually to support these policies.
88
89       When an application provides a configuration file, the changes needed
90       to utilize the system-wide policy are the following.
91
92       ·   Applications using OpenSSL: If an application allows the
93           configuration of ciphersuite string, the special cipher string
94           "PROFILE=SYSTEM" should replace any other cipher string.
95           Applications which use the default library settings automatically
96           adhere to the policy. Applications following the policy inherit the
97           settings for cipher suite preference. By default the OpenSSL
98           library reads a configuration file when it is initialized. If the
99           application does not override loading of the configuration file,
100           the policy also sets the minimum TLS protocol version and default
101           cipher suite preference via this file. If the application is
102           long-running such as the httpd server it has to be restarted to
103           reload the configuration file after policy is changed. Otherwise
104           the changed policy cannot take effect.
105
106       ·   Applications using GnuTLS: Applications using GnuTLS will load the
107           crypto policies by default. To prevent applications from adhering
108           to the policy the GNUTLS_SYSTEM_PRIORITY_FILE environment variable
109           must be set on an empty file (e.g., /dev/null). The policy covers
110           the settings for cipher suite preference, TLS and DTLS protocol
111           versions, allowed elliptic curves, and limits for cryptographic
112           keys.
113
114       ·   Applications using NSS: Applications using NSS will load the crypto
115           policies by default. They inherit the settings for cipher suite
116           preference, TLS and DTLS protocol versions, allowed elliptic
117           curves, and limits for cryptographic keys. To prevent applications
118           from adhering to the policy the NSS_IGNORE_SYSTEM_POLICY
119           environment variable must be set to 1 prior to executing that
120           application.
121
122       ·   Applications using Java: No special treatment is required.
123           Applications using Java will load the crypto policies by default.
124           These applications will then inherit the settings for allowed
125           cipher suites, allowed TLS and DTLS protocol versions, allowed
126           elliptic curves, and limits for cryptographic keys. To prevent
127           openjdk applications from adhering to the policy the
128           <java.home>/jre/lib/security/java.security file should be edited to
129           contain security.useSystemPropertiesFile=false or the system
130           property java.security.disableSystemPropertiesFile be set to true.
131           Note that the system property java.security.properties is loaded
132           with a lower preference than the crypto policies, so you can’t use
133           this property to override crypto policies without also preventing
134           openjdk applications from adhering to the policy.
135
136       ·   Applications using libkrb5: No special treatment is required.
137           Applications will follow the crypto policies by default. These
138           applications inherit the settings for the permitted encryption
139           types for tickets as well as the cryptographic key limits for the
140           PKINIT protocol. A system-wide opt-out is available by deleting the
141           /etc/krb5.conf.d/crypto-policies link.
142
143       ·   BIND: This application inherits the set of blacklisted algorithms.
144           To opt-out from the policy, remove the policy include directive in
145           the named.conf file.
146
147       ·   OpenSSH: Both server and client application inherits the cipher
148           preferences, the key exchange algorithms as well as the GSSAPI key
149           exchange algorithms. To opt-out from the policy for client,
150           override the global ssh_config with a user-specific configuration
151           in ~/.ssh/config. See ssh_config(5) for more information. To
152           override some configuration option in server, use a drop-in
153           directory /etc/ssh/sshd_config.d/ to create a file
154           lexicographically preceding 05-redhat.conf which is currently
155           including crypto policies configuration file.
156
157       ·   Libreswan: Both servers and clients inherit the ESP and IKE
158           preferences, if they are not overridden in the connection
159           configuration file. Note that due to limitations of libreswan,
160           crypto policies is restricted to supporting IKEv2. To opt-out from
161           the policy, comment the line including
162           /etc/crypto-policies/back-ends/libreswan.config from
163           /etc/ipsec.conf.
164
165       ·   Applications using libssh: Both client and server applications
166           using libssh will load the crypto policies by default. They inherit
167           the ciphers, key exchange, message authentication, and signature
168           algorithms preferences.
169

POLICY CONFIGURATION

171       One of the supported profiles should be set in
172       /etc/crypto-policies/config and this script should be run afterwards.
173
174       In case of a parsing error no policies will be updated.
175

CUSTOM POLICIES

177       The custom policies can take two forms. First form is a full custom
178       policy file which is supported by the update-crypto-policies tool in
179       the same way as the policies shipped along the tool in the package.
180
181       The second form can be called a subpolicy or policy modifier. This form
182       modifies aspects of any base policy file by removing or adding
183       algorithms or protocols. The subpolicies can be appended on the
184       update-crypto-policies --set command line to the base policy separated
185       by the : character. There can be multiple subpolicies appended.
186
187       Let’s suppose we have subpolicy NO-SHA1 that drops support for SHA1
188       hash and subpolicy GOST that enables support for the various algorithms
189       specified in Russian GOST standards. You can set the DEFAULT policy
190       with disabled SHA1 support and enabled GOST support by running the
191       following command:
192
193       update-crypto-policies --set DEFAULT:NO-SHA1:GOST
194
195       This command generates and applies configuration that will be
196       modification of the DEFAULT policy with changes specified in the
197       NO-SHA1 and GOST subpolicies.
198

FILES

200       /etc/crypto-policies/config
201           The file contains the system policy to be applied when
202           update-crypto-policies is run without any arguments. It should
203           contain a string of one of the profiles listed in the
204           crypto-policies(7) page (e.g., DEFAULT) or any custom policy name
205           with subpolicies separated by the : character. The file is
206           overwritten when update-crypto-policies --set is executed.
207
208       /etc/crypto-policies/back-ends
209           Contains the generated policies in separated files, and in a format
210           readable by the supported back ends.
211
212       /etc/crypto-policies/local.d
213           Contains additional files to be appended to the generated policy
214           files. The files present must adhere to $app-XXX.config file
215           naming, where XXX is any arbitrary identifier. For example, to
216           append a line to GnuTLS' generated policy, create a
217           gnutls-extra-line.config file in local.d. This will be appended to
218           the generated gnutls.config during update-crypto-policies. Please
219           note that because the mechanism just appends a line to the back-end
220           configuration the effect varies among the back-ends. For some of
221           the back-ends the override fully replaces the original policy and
222           for other back-ends the override might not be effective at all.
223
224       /etc/crypto-policies/state/current
225           The file contains the current system policy name with eventual
226           subpolicies as of the last execution of the update-crypto-policies
227           command.
228
229       /etc/crypto-policies/state/CURRENT.pol
230           The file contains the current system policy definition with all the
231           modifications from eventual subpolicies applied and is written when
232           the update-crypto-policies command is executed.
233

SEE ALSO

235       crypto-policies(7), fips-mode-setup(8)
236

AUTHOR

238       Written by Nikos Mavrogiannopoulos.
239
240
241
242update-crypto-policies            09/23/2020             UPDATE-CRYPTO-POLI(8)
Impressum