1UPDATE-CRYPTO-POLI(8) UPDATE-CRYPTO-POLI(8)
2
6 update-crypto-policies - manage the policies available to the various
7 cryptographic back-ends.
8
10 update-crypto-policies [COMMAND]
11
13 update-crypto-policies(8) is used to set the policy applicable for the
14 various cryptographic back-ends, such as SSL/TLS libraries. That will
15 be the default policy used by these back-ends unless the application
16 user configures them otherwise.
17 The available policies are described in the crypto-policies(7) manual
19 page.
20 The desired system policy is selected in /etc/crypto-policies/config
22 and this tool will generate the individual policy requirements for all
23 back-ends that support such configuration. After this tool is called
24 the administrator is assured that any application that utilizes the
25 supported back-ends will follow a policy that adheres to the configured
26 profile.
27 Note that the above assurance does apply to the extent that
29 applications are configured to follow the default policy (the details
30 vary on the back-end, see below for more information).
31 The generated back-end policies will be placed in
33 /etc/crypto-policies/back-ends. Currently the supported back-ends are:
34 • GnuTLS library
36 • OpenSSL library
38 • NSS library
40 • OpenJDK
42 • Libkrb5
44 • BIND
46 • OpenSSH
48 • Libreswan
50 • libssh
52 Applications and languages which rely on any of these back-ends will
54 follow the system policies as well. Examples are apache httpd, nginx,
55 php, and others.
56 In general after changing the system crypto policies with the
58 update-crypto-policies --set command it is recommended to restart the
59 system for the effect to fully take place as the policy configuration
60 files are loaded on application start-up. Otherwise applications
61 started before the command was run need to be restarted to load the
62 updated configuration.
63
65 The following commands are available in update-crypto-policies tool.
66 • --set: Sets the current policy and overwrites the config file.
68 • --show: Shows the currently applied crypto policy.
70 • --is-applied: Returns success if the currently configured policy in
72 the config file was applied by running the update-crypto-policies.
73 • --check: Returns success if freshly generated configuration files
75 match the current policy. The check will return failure if there is
76 a manual modification of the back-end configuration files or a
77 newer version of crypto-policies package is installed without
78 running update-crypto-policies. This should not happen with system
79 updates because update-crypto-policies is run implicitly there.
80
82 The following options are available in update-crypto-policies tool.
83 • --no-reload: By default this tool causes some running applications
85 to reload the configured policy. This option skips the reloading.
86
88 Applications in the operating system that provide a default
89 configuration file that includes a cryptographic policy string will be
90 modified gradually to support these policies.
91 When an application provides a configuration file, the changes needed
93 to utilize the system-wide policy are the following.
94 • Applications using OpenSSL: If an application allows the
96 configuration of ciphersuite string, the special cipher string
97 "PROFILE=SYSTEM" should replace any other cipher string.
98 Applications which use the default library settings automatically
99 adhere to the policy. Applications following the policy inherit the
100 settings for cipher suite preference. By default the OpenSSL
101 library reads a configuration file when it is initialized. If the
102 application does not override loading of the configuration file,
103 the policy also sets the minimum TLS protocol version and default
104 cipher suite preference via this file. If the application is
105 long-running such as the httpd server it has to be restarted to
106 reload the configuration file after policy is changed. Otherwise
107 the changed policy cannot take effect.
108 • Applications using GnuTLS: Applications using GnuTLS will load the
110 crypto policies by default. To prevent applications from adhering
111 to the policy the GNUTLS_SYSTEM_PRIORITY_FILE environment variable
112 must be set on an empty file (e.g., /dev/null). The policy covers
113 the settings for cipher suite preference, TLS and DTLS protocol
114 versions, allowed elliptic curves, and limits for cryptographic
115 keys.
116 • Applications using NSS: Applications using NSS will load the crypto
118 policies by default. They inherit the settings for cipher suite
119 preference, TLS and DTLS protocol versions, allowed elliptic
120 curves, and limits for cryptographic keys. To prevent applications
121 from adhering to the policy the NSS_IGNORE_SYSTEM_POLICY
122 environment variable must be set to 1 prior to executing that
123 application.
124 • Applications using Java: No special treatment is required.
126 Applications using Java will load the crypto policies by default.
127 These applications will then inherit the settings for allowed
128 cipher suites, allowed TLS and DTLS protocol versions, allowed
129 elliptic curves, and limits for cryptographic keys. To prevent
130 openjdk applications from adhering to the policy the
131 <java.home>/jre/lib/security/java.security file should be edited to
132 contain security.useSystemPropertiesFile=false or the system
133 property java.security.disableSystemPropertiesFile be set to true.
134 Note that the system property java.security.properties is loaded
135 with a lower preference than the crypto policies, so you can’t use
136 this property to override crypto policies without also preventing
137 openjdk applications from adhering to the policy.
138 • Applications using libkrb5: No special treatment is required.
140 Applications will follow the crypto policies by default. These
141 applications inherit the settings for the permitted encryption
142 types for tickets as well as the cryptographic key limits for the
143 PKINIT protocol. A system-wide opt-out is available by deleting the
144 /etc/krb5.conf.d/crypto-policies link.
145 • BIND: This application inherits the set of blacklisted algorithms.
147 To opt-out from the policy, remove the policy include directive in
148 the named.conf file.
149 • OpenSSH: Both server and client application inherits the cipher
151 preferences, the key exchange algorithms as well as the GSSAPI key
152 exchange algorithms. To opt-out from the policy for client,
153 override the global ssh_config with a user-specific configuration
154 in ~/.ssh/config. See ssh_config(5) for more information. To
155 override some configuration option in server, use a drop-in
156 directory /etc/ssh/sshd_config.d/ to create a file
157 lexicographically preceding 05-redhat.conf which is currently
158 including crypto policies configuration file.
159 • Libreswan: Both servers and clients inherit the ESP and IKE
161 preferences, if they are not overridden in the connection
162 configuration file. Note that due to limitations of libreswan,
163 crypto policies is restricted to supporting IKEv2. To opt-out from
164 the policy, comment the line including
165 /etc/crypto-policies/back-ends/libreswan.config from
166 /etc/ipsec.conf.
167 • Applications using libssh: Both client and server applications
169 using libssh will load the crypto policies by default. They inherit
170 the ciphers, key exchange, message authentication, and signature
171 algorithms preferences.
172
174 One of the supported profiles should be set in
175 /etc/crypto-policies/config and this script should be run afterwards.
176 In case of a parsing error no policies will be updated.
178
180 The custom policies can take two forms. First form is a full custom
181 policy file which is supported by the update-crypto-policies tool in
182 the same way as the policies shipped along the tool in the package.
183 The second form can be called a subpolicy or policy modifier. This form
185 modifies aspects of any base policy file by removing or adding
186 algorithms or protocols. The subpolicies can be appended on the
187 update-crypto-policies --set command line to the base policy separated
188 by the : character. There can be multiple subpolicies appended.
189 Let’s suppose we have subpolicy NO-SHA1 that drops support for SHA1
191 hash and subpolicy GOST that enables support for the various algorithms
192 specified in Russian GOST standards. You can set the DEFAULT policy
193 with disabled SHA1 support and enabled GOST support by running the
194 following command:
195 update-crypto-policies --set DEFAULT:NO-SHA1:GOST
197 This command generates and applies configuration that will be
199 modification of the DEFAULT policy with changes specified in the
200 NO-SHA1 and GOST subpolicies.
201
203 /etc/crypto-policies/config
204 The file contains the system policy to be applied when
205 update-crypto-policies is run without any arguments. It should
206 contain a string of one of the profiles listed in the
207 crypto-policies(7) page (e.g., DEFAULT) or any custom policy name
208 with subpolicies separated by the : character. The file is
209 overwritten when update-crypto-policies --set is executed.
210 /etc/crypto-policies/back-ends
212 Contains the generated policies in separated files, and in a format
213 readable by the supported back ends.
214 /etc/crypto-policies/local.d
216 Contains additional files to be appended to the generated policy
217 files. The files present must adhere to $app-XXX.config file
218 naming, where XXX is any arbitrary identifier. For example, to
219 append a line to GnuTLS' generated policy, create a
220 gnutls-extra-line.config file in local.d. This will be appended to
221 the generated gnutls.config during update-crypto-policies. Please
222 note that because the mechanism just appends a line to the back-end
223 configuration the effect varies among the back-ends. For some of
224 the back-ends the override fully replaces the original policy and
225 for other back-ends the override might not be effective at all.
226 /etc/crypto-policies/state/current
228 The file contains the current system policy name with eventual
229 subpolicies as of the last execution of the update-crypto-policies
230 command.
231 /etc/crypto-policies/state/CURRENT.pol
233 The file contains the current system policy definition with all the
234 modifications from eventual subpolicies applied and is written when
235 the update-crypto-policies command is executed.
236
238 crypto-policies(7), fips-mode-setup(8)
239
241 Written by Nikos Mavrogiannopoulos.
242update-crypto-policies 02/13/2021 UPDATE-CRYPTO-POLI(8)