UPDATE−CRYPTO−POLI - Online Linux Manual PageSection : 8
Updated : 03/01/2023
Source : update−crypto−policies
Note :  ​

NAMEupdate-crypto-policies − manage the policies available to the various cryptographic back−ends​.

SYNOPSISupdate−crypto−policies [COMMAND]

DESCRIPTIONupdate−crypto−policies(8) is used to set the policy applicable for the various cryptographic back−ends, such as SSL/TLS libraries​. The policy aims to control the back−end default algorithm selections unless the application user configures them otherwise​. The available policies are described in the crypto−policies(7) manual page​. The desired system policy is selected in /etc/crypto−policies/config and this tool will generate the individual policy requirements for all back−ends that support such configuration​. After this tool is called and all the affected applications are restarted, the administrator is assured that any application that utilizes the supported back−ends will follow the specified policy​. Note that the above assurance does apply to the extent that applications are configured to follow the default policy (the details vary on the back−end, see below for more information)​. The generated back−end policies will be placed in /etc/crypto−policies/back−ends​. Currently the supported back−ends (and directive scopes they respect) are: •  GnuTLS library (GnuTLS, SSL, TLS) •  OpenSSL library (OpenSSL, SSL, TLS) •  NSS library (NSS, SSL, TLS) •  OpenJDK (java−tls, SSL, TLS) •  Libkrb5 (krb5, kerberos) •  BIND (BIND, DNSSec) •  OpenSSH (OpenSSH, SSH) •  Libreswan (libreswan, IKE, IPSec) •  libssh (libssh, SSH) Applications and languages which rely on any of these back−ends will follow the system policies as well​. Examples are apache httpd, nginx, php, and others​. In general after changing the system crypto policies with the update−crypto−policies −−set command it is recommended to restart the system for the effect to fully take place as the policy configuration files are loaded on application start−up​. Otherwise applications started before the command was run need to be restarted to load the updated configuration​.

COMMANDSThe following commands are available in update−crypto−policies tool​. •  −−set: Sets the current policy and overwrites the config file​. •  −−show: Shows the currently applied crypto policy​. •  −−is−applied: Returns success if the currently configured policy in the config file was applied by running the update−crypto−policies​. •  −−check: Returns success if freshly generated configuration files match the current policy​. The check will return failure if there is a manual modification of the back−end configuration files or a newer version of crypto−policies package is installed without running update−crypto−policies​. This should not happen with system updates because update−crypto−policies is run implicitly there​.

OPTIONSThe following options are available in update−crypto−policies tool​. •  −−no−reload: By default this tool causes some running applications to reload the configured policy​. This option skips the reloading​.

APPLICATION SUPPORTApplications in the operating system that provide a default configuration file that includes a cryptographic policy string will be modified gradually to support these policies​. When an application provides a configuration file, the changes needed to utilize the system−wide policy are the following​. •  Applications using OpenSSL: If an application allows the configuration of ciphersuite string, the special cipher string "PROFILE=SYSTEM" should replace any other cipher string​. Applications which use the default library settings automatically adhere to the policy​. Applications following the policy inherit the settings for cipher suite preference​. By default the OpenSSL library reads a configuration file when it is initialized​. If the application does not override loading of the configuration file, the policy also sets the minimum TLS protocol version and default cipher suite preference via this file​. If the application is long−running such as the httpd server it has to be restarted to reload the configuration file after policy is changed​. Otherwise the changed policy cannot take effect​. •  Applications using GnuTLS: Applications using GnuTLS will load the crypto policies by default​. To prevent applications from adhering to the policy the GNUTLS_SYSTEM_PRIORITY_FILE environment variable must be set on an empty file (e​.g​., /dev/null)​. The policy covers the settings for cipher suite preference, TLS and DTLS protocol versions, allowed elliptic curves, and limits for cryptographic keys​. •  Applications using NSS: Applications using NSS will load the crypto policies by default​. They inherit the settings for cipher suite preference, TLS and DTLS protocol versions, allowed elliptic curves, and limits for cryptographic keys​. To prevent applications from adhering to the policy the NSS_IGNORE_SYSTEM_POLICY environment variable must be set to 1 prior to executing that application​. •  Applications using Java: No special treatment is required​. Applications using Java will load the crypto policies by default​. These applications will then inherit the settings for allowed cipher suites, allowed TLS and DTLS protocol versions, allowed elliptic curves, and limits for cryptographic keys​. To prevent openjdk applications from adhering to the policy the <java​.home>/jre/lib/security/java​.security file should be edited to contain security​.useSystemPropertiesFile=false or the system property java​.security​.disableSystemPropertiesFile be set to true​. Note that the system property java​.security​.properties is loaded with a lower preference than the crypto policies, so you cant use this property to override crypto policies without also preventing openjdk applications from adhering to the policy​. •  Applications using libkrb5: No special treatment is required​. Applications will follow the crypto policies by default​. These applications inherit the settings for the permitted encryption types for tickets as well as the cryptographic key limits for the PKINIT protocol​. A system−wide opt−out is available by deleting the /etc/krb5​.conf​.d/crypto−policies link​. •  BIND: This application inherits the set of disabled algorithms​. To opt−out from the policy, remove the policy include directive in the named​.conf file​. •  OpenSSH: Both server and client application inherits the cipher preferences, the key exchange algorithms as well as the GSSAPI key exchange algorithms​. To opt−out from the policy for client, override the global ssh_config with a user−specific configuration in ~/​.ssh/config​. See ssh_config(5) for more information​. To override some configuration option in server, use a drop−in directory /etc/ssh/sshd_config​.d/ to create a file lexicographically preceding 05−redhat​.conf which is currently including crypto policies configuration file​. •  Libreswan: Both servers and clients inherit the ESP and IKE preferences, if they are not overridden in the connection configuration file​. Note that due to limitations of libreswan, crypto policies is restricted to supporting IKEv2​. To opt−out from the policy, comment the line including /etc/crypto−policies/back−ends/libreswan​.config from /etc/ipsec​.conf​. •  Applications using libssh: Both client and server applications using libssh will load the crypto policies by default​. They inherit the ciphers, key exchange, message authentication, and signature algorithms preferences​.

POLICY CONFIGURATIONOne of the supported policies should be set in /etc/crypto−policies/config and this script should be run afterwards​. In case of a parsing error no policies will be updated​.

CUSTOM POLICIESThe custom policies can take two forms​. First form is a full custom policy file which is supported by the update−crypto−policies tool in the same way as the policies shipped along the tool in the package​. The second form can be called a subpolicy or policy modifier​. This form modifies aspects of any base policy file by removing or adding algorithms or protocols​. The subpolicies can be appended on the update−crypto−policies −−set command line to the base policy separated by the : character​. There can be multiple subpolicies appended​. The resulting configuration is the same as if the policy and subpolicies were concatenated together​. Lets suppose we have subpolicy NO−SHA1 that drops support for SHA1 hash and subpolicy GOST that enables support for the various algorithms specified in Russian GOST standards​. You can set the DEFAULT policy with disabled SHA1 support and enabled GOST support by running the following command: update−crypto−policies −−set DEFAULT:NO−SHA1:GOST This command generates and applies configuration that will be modification of the DEFAULT policy with changes specified in the NO−SHA1 and GOST subpolicies​.

FILES/etc/crypto−policies/config The file contains the system policy to be applied when update−crypto−policies is run without any arguments​. It should contain a string of one of the policies listed in the crypto−policies(7) page (e​.g​., DEFAULT) or any custom policy name with subpolicies separated by the : character​. The file is overwritten when update−crypto−policies −−set is executed​. /etc/crypto−policies/back−ends Contains the generated policies in separated files, and in a format readable by the supported back ends​. /etc/crypto−policies/local​.d Contains additional files to be appended to the generated policy files​. The files present must adhere to $app−XXX​.config file naming, where XXX is any arbitrary identifier​. For example, to append a line to GnuTLS' generated policy, create a gnutls−extra−line​.config file in local​.d​. This will be appended to the generated gnutls​.config during update−crypto−policies​. Please note that because the mechanism just appends a line to the back−end configuration the effect varies among the back−ends​. For some of the back−ends the override fully replaces the original policy and for other back−ends the override might not be effective at all​. /etc/crypto−policies/state/current The file contains the current system policy name with eventual subpolicies as of the last execution of the update−crypto−policies command​. /etc/crypto−policies/state/CURRENT​.pol The file contains the current system policy definition with all the modifications from eventual subpolicies applied and is written when the update−crypto−policies command is executed​.

SEE ALSOcrypto−policies(7), fips−mode−setup(8)

AUTHORWritten by Nikos Mavrogiannopoulos​.
0
Johanes Gumabo
Data Size   :   29,209 byte
man-update-crypto-policies.8Build   :   2024-12-05, 20:55   :  
Visitor Screen   :   x
Visitor Counter ( page / site )   :   4 / 171,544
Visitor ID   :     :  
Visitor IP   :   18.119.135.67   :  
Visitor Provider   :   AMAZON-02   :  
Provider Position ( lat x lon )   :   39.962500 x -83.006100   :   x
Provider Accuracy Radius ( km )   :   1000   :  
Provider City   :   Columbus   :  
Provider Province   :   Ohio ,   :   ,
Provider Country   :   United States   :  
Provider Continent   :   North America   :  
Visitor Recorder   :   Version   :  
Visitor Recorder   :   Library   :  
Online Linux Manual Page   :   Version   :   Online Linux Manual Page - Fedora.40 - march=x86-64 - mtune=generic - 24.12.05
Online Linux Manual Page   :   Library   :   lib_c - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Online Linux Manual Page   :   Library   :   lib_m - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Data Base   :   Version   :   Online Linux Manual Page Database - 24.04.13 - march=x86-64 - mtune=generic - fedora-38
Data Base   :   Library   :   lib_c - 23.02.07 - march=x86-64 - mtune=generic - fedora.36

Very long time ago, I have the best tutor, Wenzel Svojanovsky . If someone knows the email address of Wenzel Svojanovsky , please send an email to johanes_gumabo@yahoo.co.id .
If error, please print screen and send to johanes_gumabo@yahoo.co.id
Under development. Support me via PayPal.