We all assume that the experts involved in the system and software development have a detailed understanding of the cryptographic policies and set it accordingly to keep everything safe from attackers. Whether this assumption is wrong or right, it is so important that the system and software operate under the right cryptographic policies.
The system-wide cryptographic policy is a package that configures the core cryptographic subsystems by enabling a set of protocols. This includes IPSec, TLS, DNSSec, SSH, and Kerberos protocols. This package provides a set of policies that the system admin can select from. The applications and services are compelled to use them and reject any other protocols that do not agree with the set policy. Applications that do not comply with the set policy can only use it if they are explicitly set to do so.
The following are the predefined cryptographic policies:
- DEFAULT: This is the default system-wide cryptographic policy that offers secure settings for all the current threats. This policy allows the TLS 1.2 and 1.3 protocols, IKEv2, and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are also accepted if they are at least 2048 bits long.
- LEGACY: This ensures maximum compatibility with Red Hat Enterprise Linux 6 and earlier. This is less secure and creates an increased attack surface. Here, SHA-1 can be used as a TLS hash, signature, and algorithm. Also, applications using GnuTLS allow certificates signed with SHA-1.
- FUTURE: This policy is believed to offer protection against near-future threats. It doesn’t allow SHA-1 to be used in DNSSec or as an HMAC. Here, SHA2-224 and SHA3-224 hashes as well as 128-bit ciphers are disabled. The RSA keys and Diffie-Hellman parameters are only accepted if they are at least 3072 bits long.
- FIPS: This policy conforms to the FIPS 140-2 standards. It is used internally with the
fips-mode-setuptool that switches the system to the FIPS mode.
This guide offers a deep illustration of how to configure system-wide cryptographic policies on RHEL / CentOS / Rocky / AlmaLinux
#1. Check system-wide cryptographic policies
The update-crypto-policies command is used to manage the system-wide cryptographic policy on RHEL / CentOS / Rocky / AlmaLinux. This package is preinstalled on many Rhel-based systems. If it is not available, install it with the command:
sudo yum -y install crypto-policies-scriptsDependency tree:
Dependencies resolved.
=======================================
Package Arch Version
Repo Size
=======================================
Upgrading:
crypto-policies noarch 20211116-1.gitae470d6.el8
baseos 63 k
crypto-policies-scripts
noarch 20211116-1.gitae470d6.el8
baseos 82 k
Transaction Summary
=======================================
Upgrade 2 Packages
Total download size: 145 k
Downloading Packages:
Once installed, check the current system-wide cryptographic policy on RHEL / CentOS / Rocky / AlmaLinux with the command:
$ sudo update-crypto-policies --show
DEFAULT#2. Set/Change system-wide cryptographic policies
The system-wide cryptographic policy can be switched to a preferred policy using the update-crypto-policiescommand.
The syntax of the command used is:
sudo update-crypto-policies --set <POLICY>For example, switching to the FUTURE policy, the command will be:
sudo update-crypto-policies --set FUTURE
Sample Output:
Once the policy has been set, it is recommended that you restart the system:
sudo reboot#3. Test the system-wide cryptographic policy
Each policy has its own set of rules. For this test, I assume that you have switched to the FUTURE policy that has SHA-1 disabled.
First, check the policy:
$ sudo update-crypto-policies --show
FUTURE
We will test this using the cURL command below:
curl https://sha1-intermediate.badssl.comSample Output:
From the above output, we see that the SHA-1 certificate has been disallowed. This proves that the FUTURE policy is working as desired.
#4. Excluding an application from system-wide crypto policies
As stated earlier, system-wide crypto policies compel a service or application to follow the set policies. However, you can exclude an application from following system-wide crypto policies.
This can be done by configuring the cipher suites and protocols directly in the application. You can also remove the system link from /etc/crypto-policies/back-ends to your application and replace it with customized policies.
To demonstrate this, I will use cURL with the --ciphersoption. For example
curl https://example.com --ciphers '@SECLEVEL=0:DES-CBC3-SHA:RSA-DES-CBC3-SHA'You can also use wget and specify both the --secure-protocoland --ciphers. For example:
wget --secure-protocol=TLSv1_1 --ciphers="SECURE128" https://example.com#5. Customize system-wide cryptographic policies with sub-policies
This is mainly done to adjust the set of enabled cryptographic algorithms or protocols. There are two ways to do this, you can either apply custom sub-policies on top of an existing system-wide cryptographic policy or define the policy from scratch.
First, navigate to the directory below:
cd /etc/crypto-policies/policies/modules/Create the sub-policies you want. Say,
sudo touch MYCRYPTO-1.pmod SCOPES-AND-WILDCARDS.pmodOpen the created sub-policy for editing:
sudo vi SCOPES-AND-WILDCARDS.pmodAdd the options to modify the existing system-wide cryptographic policy. For example:
# Disable the AES-128 cipher, all modes
cipher = -AES-128-*
# Disable CHACHA20-POLY1305 for the TLS protocol (OpenSSL, GnuTLS, NSS, and OpenJDK)
cipher@TLS = -CHACHA20-POLY1305
# Allow using the FFDHE-1024 group with the SSH protocol (libssh and OpenSSH)
group@SSH = FFDHE-1024+
# Disable all CBC mode ciphers for the SSH protocol (libssh and OpenSSH)
cipher@SSH = -*-CBC
# Allow the AES-256-CBC cipher in applications using libssh
cipher@libssh = AES-256-CBC+You can also edit the other file:
$ sudo vi MYCRYPTO-1.pmod
min_rsa_size = 3072
hash = SHA2-384 SHA2-512 SHA3-384 SHA3-512Once the changes have been saved, apply the modules:
$ sudo update-crypto-policies --set DEFAULT:MYCRYPTO-1:SCOPES-AND-WILDCARDS
Setting system policy to DEFAULT:MYCRYPTO-1:SCOPES-AND-WILDCARDS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.For the changes to apply, reboot your system.
sudo rebootOnce the system boot, check the new policy and sub-policy:
$ update-crypto-policies --show
DEFAULT:MYCRYPTO-1:SCOPES-AND-WILDCARDSRe-enabling SHA-1
Normally, the SHA-1 algorithm is disabled in the DEFAULT policy. You may however find yourself in a scenario where you need to use SHA-1 for verifying existing or third-party cryptographic signatures. You can enable it by applying it as a sub-policy. This policy is provided by RHEL9 in the DEFAULT policy.
For a system that uses the DEFAULT policy, set the SHA1 sub policy with the command:
$ sudo update-crypto-policies --set DEFAULT:SHA1
Setting system policy to DEFAULT:SHA1
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.Restart the system:
sudo rebootVerify the sub-policy set:
$ update-crypto-policies --show
DEFAULT:SHA1#6. Create a custom system-wide cryptographic policy
You can create a completely customized system-wide cryptographic policy for your system. The steps used to achieve this as shown below
First, create the policy file:
cd /etc/crypto-policies/policies/
sudo touch MYPOLICY.polThis file can also be created by copying a predefined policy from the 4 available policy levels. For example;
sudo cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/MYPOLICY.polNow edit the file to suit your requirements:
sudo vi /etc/crypto-policies/policies/MYPOLICY.polOnce edited, apply the policy with the command:
sudo update-crypto-policies --set MYPOLICYReboot the system, for the changes to take effect.
sudo rebootWrap Up
That marks the end of this guide on how to configure system-wide cryptographic policies on RHEL / CentOS / Rocky / AlmaLinux. I hope this was important to you.
See more:
RHEL 8 vs RHEL 9 – Comparison Table
How To Reset oVirt/RHEV admin user password
How To Set System Proxy on Debian
