1UPDATE-CRYPTO-POLI(8)                                    UPDATE-CRYPTO-POLI(8)
2
3
4

NAME

6       update-crypto-policies - manage the policies available to the various
7       cryptographic back-ends.
8

SYNOPSIS

10       update-crypto-policies [COMMAND]
11

DESCRIPTION

13       update-crypto-policies(8) is used to set the policy applicable for the
14       various cryptographic back-ends, such as SSL/TLS libraries. The policy
15       aims to control the back-end default algorithm selections unless the
16       application user configures them otherwise.
17
18       The available policies are described in the crypto-policies(7) manual
19       page.
20
21       The desired system policy is selected in /etc/crypto-policies/config
22       and this tool will generate the individual policy requirements for all
23       back-ends that support such configuration. After this tool is called
24       and all the affected applications are restarted, the administrator is
25       assured that any application that utilizes the supported back-ends will
26       follow the specified policy.
27
28       Note that the above assurance does apply to the extent that
29       applications are configured to follow the default policy (the details
30       vary on the back-end, see below for more information).
31
32       The generated back-end policies will be placed in
33       /etc/crypto-policies/back-ends. Currently the supported back-ends (and
34       directive scopes they respect) are:
35
36       •   GnuTLS library (GnuTLS, SSL, TLS)
37
38       •   OpenSSL library (OpenSSL, SSL, TLS)
39
40       •   NSS library (NSS, SSL, TLS)
41
42       •   OpenJDK (java-tls, SSL, TLS)
43
44       •   Libkrb5 (krb5, kerberos)
45
46       •   BIND (BIND, DNSSec)
47
48       •   OpenSSH (OpenSSH, SSH)
49
50       •   Libreswan (libreswan, IKE, IPSec)
51
52       •   libssh (libssh, SSH)
53
54       Applications and languages which rely on any of these back-ends will
55       follow the system policies as well. Examples are apache httpd, nginx,
56       php, and others.
57
58       In general after changing the system crypto policies with the
59       update-crypto-policies --set command it is recommended to restart the
60       system for the effect to fully take place as the policy configuration
61       files are loaded on application start-up. Otherwise applications
62       started before the command was run need to be restarted to load the
63       updated configuration.
64

COMMANDS

66       The following commands are available in update-crypto-policies tool.
67
68       •   --set: Sets the current policy and overwrites the config file.
69
70       •   --show: Shows the currently applied crypto policy.
71
72       •   --is-applied: Returns success if the currently configured policy in
73           the config file was applied by running the update-crypto-policies.
74
75       •   --check: Returns success if freshly generated configuration files
76           match the current policy. The check will return failure if there is
77           a manual modification of the back-end configuration files or a
78           newer version of crypto-policies package is installed without
79           running update-crypto-policies. This should not happen with system
80           updates because update-crypto-policies is run implicitly there.
81

OPTIONS

83       The following options are available in update-crypto-policies tool.
84
85       •   --no-reload: By default this tool causes some running applications
86           to reload the configured policy. This option skips the reloading.
87

APPLICATION SUPPORT

89       Applications in the operating system that provide a default
90       configuration file that includes a cryptographic policy string will be
91       modified gradually to support these policies.
92
93       When an application provides a configuration file, the changes needed
94       to utilize the system-wide policy are the following.
95
96       •   Applications using OpenSSL: If an application allows the
97           configuration of ciphersuite string, the special cipher string
98           "PROFILE=SYSTEM" should replace any other cipher string.
99           Applications which use the default library settings automatically
100           adhere to the policy. Applications following the policy inherit the
101           settings for cipher suite preference. By default the OpenSSL
102           library reads a configuration file when it is initialized. If the
103           application does not override loading of the configuration file,
104           the policy also sets the minimum TLS protocol version and default
105           cipher suite preference via this file. If the application is
106           long-running such as the httpd server it has to be restarted to
107           reload the configuration file after policy is changed. Otherwise
108           the changed policy cannot take effect.
109
110       •   Applications using GnuTLS: Applications using GnuTLS will load the
111           crypto policies by default. To prevent applications from adhering
112           to the policy the GNUTLS_SYSTEM_PRIORITY_FILE environment variable
113           must be set on an empty file (e.g., /dev/null). The policy covers
114           the settings for cipher suite preference, TLS and DTLS protocol
115           versions, allowed elliptic curves, and limits for cryptographic
116           keys.
117
118       •   Applications using NSS: Applications using NSS will load the crypto
119           policies by default. They inherit the settings for cipher suite
120           preference, TLS and DTLS protocol versions, allowed elliptic
121           curves, and limits for cryptographic keys. To prevent applications
122           from adhering to the policy the NSS_IGNORE_SYSTEM_POLICY
123           environment variable must be set to 1 prior to executing that
124           application.
125
126       •   Applications using Java: No special treatment is required.
127           Applications using Java will load the crypto policies by default.
128           These applications will then inherit the settings for allowed
129           cipher suites, allowed TLS and DTLS protocol versions, allowed
130           elliptic curves, and limits for cryptographic keys. To prevent
131           openjdk applications from adhering to the policy the
132           <java.home>/jre/lib/security/java.security file should be edited to
133           contain security.useSystemPropertiesFile=false or the system
134           property java.security.disableSystemPropertiesFile be set to true.
135           Note that the system property java.security.properties is loaded
136           with a lower preference than the crypto policies, so you can’t use
137           this property to override crypto policies without also preventing
138           openjdk applications from adhering to the policy.
139
140       •   Applications using libkrb5: No special treatment is required.
141           Applications will follow the crypto policies by default. These
142           applications inherit the settings for the permitted encryption
143           types for tickets as well as the cryptographic key limits for the
144           PKINIT protocol. A system-wide opt-out is available by deleting the
145           /etc/krb5.conf.d/crypto-policies link.
146
147       •   BIND: This application inherits the set of disabled algorithms. To
148           opt-out from the policy, remove the policy include directive in the
149           named.conf file.
150
151       •   OpenSSH: Both server and client application inherits the cipher
152           preferences, the key exchange algorithms as well as the GSSAPI key
153           exchange algorithms. To opt-out from the policy for client,
154           override the global ssh_config with a user-specific configuration
155           in ~/.ssh/config. See ssh_config(5) for more information. To
156           override some configuration option in server, use a drop-in
157           directory /etc/ssh/sshd_config.d/ to create a file
158           lexicographically preceding 05-redhat.conf which is currently
159           including crypto policies configuration file.
160
161       •   Libreswan: Both servers and clients inherit the ESP and IKE
162           preferences, if they are not overridden in the connection
163           configuration file. Note that due to limitations of libreswan,
164           crypto policies is restricted to supporting IKEv2. To opt-out from
165           the policy, comment the line including
166           /etc/crypto-policies/back-ends/libreswan.config from
167           /etc/ipsec.conf.
168
169       •   Applications using libssh: Both client and server applications
170           using libssh will load the crypto policies by default. They inherit
171           the ciphers, key exchange, message authentication, and signature
172           algorithms preferences.
173

POLICY CONFIGURATION

175       One of the supported policies should be set in
176       /etc/crypto-policies/config and this script should be run afterwards.
177
178       In case of a parsing error no policies will be updated.
179

CUSTOM POLICIES

181       The custom policies can take two forms. First form is a full custom
182       policy file which is supported by the update-crypto-policies tool in
183       the same way as the policies shipped along the tool in the package.
184
185       The second form can be called a subpolicy or policy modifier. This form
186       modifies aspects of any base policy file by removing or adding
187       algorithms or protocols. The subpolicies can be appended on the
188       update-crypto-policies --set command line to the base policy separated
189       by the : character. There can be multiple subpolicies appended. The
190       resulting configuration is the same as if the policy and subpolicies
191       were concatenated together.
192
193       Let’s suppose we have subpolicy NO-SHA1 that drops support for SHA1
194       hash and subpolicy GOST that enables support for the various algorithms
195       specified in Russian GOST standards. You can set the DEFAULT policy
196       with disabled SHA1 support and enabled GOST support by running the
197       following command:
198
199       update-crypto-policies --set DEFAULT:NO-SHA1:GOST
200
201       This command generates and applies configuration that will be
202       modification of the DEFAULT policy with changes specified in the
203       NO-SHA1 and GOST subpolicies.
204

FILES

206       /etc/crypto-policies/config
207           The file contains the system policy to be applied when
208           update-crypto-policies is run without any arguments. It should
209           contain a string of one of the policies listed in the
210           crypto-policies(7) page (e.g., DEFAULT) or any custom policy name
211           with subpolicies separated by the : character. The file is
212           overwritten when update-crypto-policies --set is executed.
213
214       /etc/crypto-policies/back-ends
215           Contains the generated policies in separated files, and in a format
216           readable by the supported back ends.
217
218       /etc/crypto-policies/local.d
219           Contains additional files to be appended to the generated policy
220           files. The files present must adhere to $app-XXX.config file
221           naming, where XXX is any arbitrary identifier. For example, to
222           append a line to GnuTLS' generated policy, create a
223           gnutls-extra-line.config file in local.d. This will be appended to
224           the generated gnutls.config during update-crypto-policies. Please
225           note that because the mechanism just appends a line to the back-end
226           configuration the effect varies among the back-ends. For some of
227           the back-ends the override fully replaces the original policy and
228           for other back-ends the override might not be effective at all.
229
230       /etc/crypto-policies/state/current
231           The file contains the current system policy name with eventual
232           subpolicies as of the last execution of the update-crypto-policies
233           command.
234
235       /etc/crypto-policies/state/CURRENT.pol
236           The file contains the current system policy definition with all the
237           modifications from eventual subpolicies applied and is written when
238           the update-crypto-policies command is executed.
239

SEE ALSO

241       crypto-policies(7), fips-mode-setup(8)
242

AUTHOR

244       Written by Nikos Mavrogiannopoulos.
245
246
247
248update-crypto-policies            08/19/2021             UPDATE-CRYPTO-POLI(8)
Impressum