NAME<\/a> crypto-policies \u2212 system\u2212wide crypto policies overview<\/p>\n The security of cryptographic components of the operating system does not remain constant over time. Algorithms, such as cryptographic hashing and encryption, typically have a lifetime, after which they are considered either too risky to use or plain insecure. That means, we need to phase out such algorithms from the default settings or completely disable them if they could cause an irreparable problem.<\/p>\n While in the past the algorithms were not disabled in a consistent way and different applications applied different policies, the system\u2212wide crypto\u2212policies followed by the crypto core components allow consistently deprecating and disabling algorithms system\u2212wide.<\/p>\n The individual policy levels (DEFAULT<\/b>, LEGACY<\/b>, FUTURE<\/b>, and FIPS<\/b>) are included in the crypto\u2212policies(7)<\/b> package. In the future, there will be also a mechanism for easy creation and deployment of policies defined by the system administrator or a third party vendor.<\/p>\n For rationale, see RFC 7457<\/b> for a list of attacks taking advantage of legacy crypto algorithms.<\/p>\n Crypto\u2212policies apply to the configuration of the core cryptographic subsystems, covering TLS<\/b>, IKE<\/b>, IPSec<\/b>, DNSSec<\/b>, and Kerberos<\/b> protocols; i.e., the supported secure communications protocols on the base operating system.<\/p>\n Once an application runs in the operating system, it follows the default or selected policy and refuses to fall back to algorithms and protocols not within the policy, unless the user has explicitly requested the application to do so. That is, the policy applies to the default behavior of applications when running with the system\u2212provided configuration but the user can override it on an application\u2212specific basis.<\/p>\n The policies currently provide settings for these applications and libraries:<\/p>\n \u2022 BIND<\/b> DNS name server daemon<\/p>\n \u2022 GnuTLS<\/b> TLS library<\/p>\n \u2022 OpenJDK<\/b> runtime environment<\/p>\n \u2022 Kerberos 5<\/b> library<\/p>\n \u2022 Libreswan<\/b> IPsec and IKE protocol implementation<\/p>\n \u2022 NSS<\/b> TLS library<\/p>\n \u2022 OpenSSH<\/b> SSH2 protocol implementation<\/p>\n \u2022 OpenSSL<\/b> TLS library<\/p>\n \u2022 libssh<\/b> SSH2 protocol implementation<\/p>\n Applications using the above libraries and tools are covered by the cryptographic policies unless they are explicitly configured not to be so.<\/p>\n LEGACY<\/b><\/p>\n This policy ensures maximum compatibility with legacy systems; it is less secure and it includes support for TLS 1.0<\/b>, TLS 1.1<\/b>, and SSH2<\/b> protocols or later. The algorithms DSA<\/b>, 3DES<\/b>, and RC4<\/b> are allowed, while RSA<\/b> and Diffie\u2212Hellman<\/b> parameters are accepted if larger than 1023 bits. The level provides at least 64\u2212bit security.<\/p>\n \u2022 MACs: all HMAC<\/b> with SHA\u22121<\/b> or better + all modern MACs (Poly1305<\/b> etc.)<\/p>\n \u2022 Curves: all prime >= 255 bits (including Bernstein curves)<\/p>\n \u2022 Signature algorithms: with SHA1<\/b> hash or better (DSA<\/b> allowed)<\/p>\n \u2022 TLS<\/b> Ciphers: all available >= 112\u2212bit key, >= 128\u2212bit block (including RC4<\/b> and 3DES<\/b>)<\/p>\n \u2022 Non\u2212TLS Ciphers: same as TLS<\/b> ciphers with added Camellia<\/b><\/p>\n \u2022 Key exchange: ECDHE<\/b>, RSA<\/b>, DHE<\/b><\/p>\n \u2022 DH<\/b> params size: >= 1023<\/p>\n \u2022 RSA<\/b> keys size: >= 1023<\/p>\n \u2022 DSA<\/b> params size: >= 1023<\/p>\n \u2022 TLS<\/b> protocols: TLS<\/b> >= 1.0, DTLS<\/b> >= 1.0<\/p>\n DEFAULT<\/b><\/p>\n The DEFAULT<\/b> policy is a reasonable default policy for today\u2019s standards. It allows the TLS 1.2<\/b>, and TLS 1.3<\/b> protocols, as well as IKEv2<\/b> and SSH2<\/b>. The Diffie\u2212Hellman<\/b> parameters are accepted if they are at least 2048 bits long. The level provides at least 112\u2212bit security with the exception of allowing SHA\u22121<\/b> signatures in DNSSec where they are still prevalent.<\/p>\n \u2022 MACs: all HMAC<\/b> with SHA\u22121<\/b> or better + all modern MACs (Poly1305<\/b> etc.)<\/p>\n \u2022 Curves: all prime >= 255 bits (including Bernstein curves)<\/p>\n \u2022 Signature algorithms: with SHA\u2212224<\/b> hash or better (no DSA<\/b>)<\/p>\n \u2022 TLS<\/b> Ciphers: >= 128\u2212bit key, >= 128\u2212bit block (AES<\/b>, ChaCha20<\/b>, including AES\u2212CBC<\/b>)<\/p>\n \u2022 non\u2212TLS Ciphers: as TLS<\/b> Ciphers with added Camellia<\/b><\/p>\n \u2022 key exchange: ECDHE<\/b>, RSA<\/b>, DHE<\/b> (no DHE\u2212DSS<\/b>)<\/p>\n \u2022 DH<\/b> params size: >= 2048<\/p>\n \u2022 RSA<\/b> keys size: >= 2048<\/p>\n \u2022 TLS<\/b> protocols: TLS<\/b> >= 1.2, DTLS<\/b> >= 1.2<\/p>\n NEXT<\/b><\/p>\n The NEXT<\/b> policy is just an alias to the DEFAULT<\/b> policy.<\/p>\n FUTURE<\/b><\/p>\n A conservative security level that is believed to withstand any near\u2212term future attacks. This level does not allow the use of SHA\u22121<\/b> in signature algorithms. The level also provides some (not complete) preparation for post\u2212quantum encryption support in form of 256\u2212bit symmetric encryption requirement. The RSA<\/b> and Diffie\u2212Hellman<\/b> parameters are accepted if larger than 3071 bits. The level provides at least 128\u2212bit security.<\/p>\n \u2022 MACs: all HMAC<\/b> with SHA\u2212256<\/b> or better + all modern MACs (Poly1305<\/b> etc.)<\/p>\n \u2022 Curves: all prime >= 255 bits (including Bernstein curves)<\/p>\n \u2022 Signature algorithms: with SHA\u2212256<\/b> hash or better (no DSA<\/b>)<\/p>\n \u2022 TLS<\/b> Ciphers: >= 256\u2212bit key, >= 128\u2212bit block, only Authenticated Encryption (AE) ciphers<\/p>\n \u2022 non\u2212TLS Ciphers: same as TLS<\/b> ciphers with added non AE ciphers and Camellia<\/b><\/p>\n \u2022 key exchange: ECDHE<\/b>, DHE<\/b> (no DHE\u2212DSS<\/b>, no RSA<\/b>)<\/p>\n \u2022 DH<\/b> params size: >= 3072<\/p>\n \u2022 RSA<\/b> keys size: >= 3072<\/p>\n \u2022 TLS<\/b> protocols: TLS<\/b> >= 1.2, DTLS<\/b> >= 1.2<\/p>\n FIPS<\/b><\/p>\n A level that conforms to the FIPS 140\u22122<\/b> requirements. This policy is used internally by the fips\u2212mode\u2212setup(8)<\/b> tool which can switch the system into the FIPS 140\u22122<\/b> compliance mode. The level provides at least 112\u2212bit security.<\/p>\n \u2022 MACs: all HMAC<\/b> with SHA1<\/b> or better<\/p>\n \u2022 Curves: all prime >= 256 bits<\/p>\n \u2022 Signature algorithms: with SHA\u2212256<\/b> hash or better (no DSA<\/b>)<\/p>\n \u2022 TLS<\/b> Ciphers: >= 128\u2212bit key, >= 128\u2212bit block (AES<\/b>, including AES\u2212CBC<\/b>)<\/p>\n \u2022 non\u2212TLS Ciphers: same as TLS<\/b> Ciphers<\/p>\n \u2022 key exchange: ECDHE<\/b>, DHE<\/b> (no DHE\u2212DSS<\/b>, no RSA<\/b>)<\/p>\n \u2022 DH<\/b> params size: >= 2048<\/p>\n \u2022 RSA<\/b> params size: >= 2048<\/p>\n \u2022 TLS<\/b> protocols: TLS<\/b> >= 1.2, DTLS<\/b> >= 1.2<\/p>\n EMPTY<\/b><\/p>\n All cryptographic algorithms are disabled (used for debugging only, do not use).<\/p>\n The crypto policy definiton files have a simple syntax following an INI<\/b> file key<\/i> = value<\/i> syntax with these particular features:<\/p>\n \u2022 Comments are indicated by #<\/i> character. Everything on the line following the character is ignored.<\/p>\n \u2022 Backslash <\/i> character followed immediately with the end\u2212of\u2212line character indicates line continuation. The following line is concatenated to the current line after the backslash and end\u2212of\u2212line characters are removed.<\/p>\n \u2022 Value types can be either decimal integers, arbitrary strings, or lists of strings without whitespace characters separated by any number of whitespaces.<\/p>\n The allowed keys are:<\/p>\n \u2022 mac<\/b>: List of allowed MAC algorithms<\/p>\n \u2022 ssh_group<\/b>: Optional; list of allowed groups or elliptic curves for key exchanges for use with the SSH protocol. If absent, the value is derived from group<\/b>.<\/p>\n \u2022 group<\/b>: List of allowed groups or elliptic curves for key exchanges for use with other protocols<\/p>\n \u2022 hash<\/b>: List of allowed cryptographic hash (message digest) algorithms<\/p>\n \u2022 sign<\/b>: List of allowed signature algorithms<\/p>\n \u2022 tls_cipher<\/b>: Optional; list of allowed symmetric encryption algorithms (including the modes) for use with the TLS protocol. If absent, the value is derived from cipher<\/b>.<\/p>\n \u2022 ssh_cipher<\/b>: Optional; list of allowed symmetric encryption algorithms (including the modes) for use with the SSH protocol. If absent, the value is derived from cipher<\/b>.<\/p>\n \u2022 cipher<\/b>: List of allowed symmetric encryption algorithms (including the modes) for use with other protocols<\/p>\n \u2022 key_exchange<\/b>: List of allowed key exchange algorithms<\/p>\n \u2022 protocol<\/b>: List of allowed TLS and DTLS protocol versions (ignored by OpenSSL<\/b> and NSS<\/b> back ends)<\/p>\n \u2022 ike_protocol<\/b>: List of allowed IKE protocol versions<\/p>\n \u2022 min_tls_version<\/b>: Lowest allowed TLS protocol version (used only by OpenSSL<\/b> a and NSS<\/b> back ends)<\/p>\n \u2022 min_dtls_version<\/b>: Lowest allowed DTLS protocol version (used only by NSS<\/b> back end)<\/p>\n \u2022 min_dh_size<\/b>: Integer value of minimum number of bits of parameters for DH<\/b> key exchange<\/p>\n \u2022 min_dsa_size<\/b>: Integer value of minimum number of bits for DSA<\/b> keys<\/p>\n \u2022 min_rsa_size<\/b>: Integer value of minimum number of bits for RSA<\/b> keys<\/p>\n \u2022 sha1_in_certs<\/b>: Value of 1 if SHA1<\/b> allowed in certificate signatures, 0 otherwise (Applies to GnuTLS<\/b> back end only.)<\/p>\n \u2022 sha1_in_dnssec<\/b>: Value of 1 if SHA1<\/b> allowed in DNSSec protocol even if it is not present in the hash<\/b> and sign<\/b> lists, 0 otherwise (Applies to BIND<\/b> back end only.)<\/p>\n \u2022 arbitrary_dh_groups<\/b>: Value of 1 if arbitrary group in Diffie\u2212Hellman<\/b> is allowed, 0 otherwise<\/p>\n \u2022 ssh_certs<\/b>: Value of 1 if OpenSSH<\/b> certificate authentication is allowed, 0 otherwise<\/p>\n \u2022 ssh_etm<\/b>: Value of 1 if OpenSSH<\/b> EtM (encrypt\u2212then\u2212mac) extension is allowed, 0 otherwise<\/p>\n The full policy definition files have suffix .pol, the policy module definition files have suffix .pmod. The policy module files do not have to have values set for all the keys listed above.<\/p>\n The lists as set in the base (full policy) are modified by the lists specified in the module files in following way:<\/p>\n \u2022 \u2212<\/b>list\u2212item<\/i>: The list\u2212item<\/i> is removed from the list specified in the base policy.<\/p>\n \u2022 +<\/b>list\u2212item<\/i>: The list\u2212item<\/i> is inserted at the beginning of the list specified in the base policy. The inserts are done in the order of appearance in the policy module file so the actual order in the final list will be reversed.<\/p>\n \u2022 list\u2212item<\/i>+<\/b>: The list\u2212item<\/i> is appended to the end of the list specified in the base policy.<\/p>\n To completely override a list value in a module file just use list\u2212items<\/i> without any sign. Combining list\u2212items<\/i> with and without signs in a single list value assignment is not allowed however an existing list value can be modified in multiple further assignments.<\/p>\n Non\u2212list key values in the policy module files are simply overriden.<\/p>\n The keys marked as Optional<\/b> can be omitted in the policy definition files. In that case, the values will be derived from the base keys. Note that, this value propagation only applies to the policy definition files. In the policy module files, each key that needs modification must be explicitly specified.<\/p>\n Policy file placement and naming:<\/b><\/p>\n The policy files shipped in packages are placed in \/usr\/share\/crypto\u2212policies\/policies and the policy modules in \/usr\/share\/crypto\u2212policies\/policies\/modules.<\/p>\n The locally configured policy files are placed in \/etc\/crypto\u2212policies\/policies and the policy modules in \/etc\/crypto\u2212policies\/policies\/modules.<\/p>\n The policy and policy module files must have names in upper\u2212case except for the .pol and .pmod suffix as the update\u2212crypto\u2212policies command always converts the policy name to upper\u2212case before searching for the policy on the filesystem.<\/p>\n update\u2212crypto\u2212policies(8)<\/b><\/p>\n This command manages the policies available to the various cryptographic back ends and allows the system administrator to change the active cryptographic policy level.<\/p>\n fips\u2212mode\u2212setup(8)<\/b><\/p>\n This command allows the system administrator to enable, or disable the system FIPS mode and also apply the FIPS<\/b> cryptographic policy level which limits the allowed algorithms and protocols to these allowed by the FIPS 140\u22122 requirements.<\/p>\n Exceptions<\/b><\/p>\n \u2022 Go\u2212language<\/b> applications do not yet follow the system\u2212wide policy.<\/p>\n \u2022 GnuPG\u22122<\/b> application does not follow the system\u2212wide policy.<\/p>\n In general only the data\u2212in\u2212transit is currently covered by the system\u2212wide policy.<\/p>\n If the system administrator changes the system\u2212wide policy level with the update\u2212crypto\u2212policies(8)<\/b> command it is advisable to restart the system as the individual back\u2212end libraries read the configuration files usually during their initialization. The changes in the policy level thus take place in most cases only when the applications using the back\u2212end libraries are restarted.<\/p>\n Removed cipher suites and protocols<\/b><\/p>\n The following cipher suites and protocols are completely removed from the core cryptographic libraries listed above:<\/p>\n \u2022 DES<\/b><\/p>\n \u2022 All export grade cipher suites<\/p>\n \u2022 MD5<\/b> in signatures<\/p>\n \u2022 SSLv2<\/b><\/p>\n \u2022 SSLv3<\/b><\/p>\n \u2022 All ECC<\/b> curves smaller than 224 bits<\/p>\n \u2022 All binary field ECC<\/b> curves<\/p>\n Cipher suites and protocols disabled in all policy levels<\/b><\/p>\n The following ciphersuites and protocols are available but disabled in all crypto policy levels. They can be enabled only by explicit configuration of individual applications:<\/p>\n \u2022 DH<\/b> with parameters < 1024 bits<\/p>\n \u2022 RSA<\/b> with key size < 1024 bits<\/p>\n \u2022 Camellia<\/b><\/p>\n \u2022 ARIA<\/b><\/p>\n \u2022 SEED<\/b><\/p>\n \u2022 IDEA<\/b><\/p>\n \u2022 Integrity only ciphersuites<\/p>\n \u2022 TLS CBC mode<\/b> ciphersuites using SHA\u2212384<\/b> HMAC<\/p>\n \u2022 AES\u2212CCM8<\/b><\/p>\n \u2022 all ECC<\/b> curves incompatible with TLS 1.3<\/b>, including secp256k1<\/p>\n \u2022 IKEv1<\/b><\/p>\n Notable irregularities in the individual configuration generators<\/b><\/p>\n \u2022 OpenSSL<\/b>: The minimum length of the keys and some other parameters are enforced by the @SECLEVEL value which does not provide a fine granularity. The list of TLS<\/b> ciphers is not generated as an exact list but by subtracting from all the supported ciphers for the enabled key exchange methods. For that reason there is no way to disable a random cipher. In particular all AES\u2212128<\/b> ciphers are disabled if the AES\u2212128\u2212GCM<\/b> is not present in the list; all AES\u2212256<\/b> ciphers are disabled if the AES\u2212256\u2212GCM<\/b> is not present. The CBC<\/b> ciphers are disabled if there isn\u2019t HMAC\u2212SHA1<\/b> in the hmac list and AES\u2212256\u2212CBC<\/b> in the cipher list. To disable the CCM<\/b> ciphers both AES\u2212128\u2212CCM<\/b> and AES\u2212256\u2212CCM<\/b> must not be present in the cipher list.<\/p>\n \u2022 GnuTLS<\/b>: The minimum length of the keys and some other parameters are enforced by min\u2212verification\u2212profile setting in the GnuTLS<\/b> configuration file which does not provide fine granularity.<\/p>\n \u2022 OpenSSH<\/b>: DH<\/b> group 1 is always disabled on server even if the policy allows 1024 bit DH<\/b> groups in general. The OpenSSH configuration option HostKeyAlgorithms is set only for the SSH<\/b> server as otherwise the handling of the existing known hosts entries would be broken on client.<\/p>\n \u2022 Libreswan<\/b>: The key_exchange<\/b> parameter does not affect the generated configuration. The use of regular DH<\/b> or ECDH<\/b> can be limited with appropriate setting of the group<\/b> parameter.<\/p>\n The ECDHE\u2212GSS<\/b> and DHE\u2212GSS<\/b> algorithms are newly introduced and must be specified in the base policy for the SSH GSSAPI key exchange methods to be enabled. Previously the legacy SSH GSSAPI key exchange methods were automatically enabled when the SHA1<\/b> hash and DH<\/b> parameters of at least 2048 bits were enabled.<\/p>\n Before the introduction of the custom crypto policies<\/b> support it was possible to have an completely arbitrary crypto policy created as a set of arbitrary back\u2212end config files in \/usr\/share\/crypto\u2212policies\/ \/etc\/crypto\u2212policies\/back\u2212ends<\/p>\n The individual cryptographical back\u2212end configuration files. Usually linked to the configuration shipped in the crypto\u2212policies package unless a configuration from local.d is added.<\/p>\n \/etc\/crypto\u2212policies\/config<\/p>\n The active crypto\u2212policies level set on the system.<\/p>\n \/etc\/crypto\u2212policies\/local.d<\/p>\n Additional configuration shipped by other packages or created by the system administrator. The contents of the \/usr\/share\/crypto\u2212policies\/policies<\/p>\n System policy definition files.<\/p>\n \/usr\/share\/crypto\u2212policies\/policies\/modules<\/p>\n System subpolicy module definition files.<\/p>\n \/etc\/crypto\u2212policies\/policies<\/p>\n Custom policy definition files as configured by the system administrator.<\/p>\n \/etc\/crypto\u2212policies\/policies\/modules<\/p>\n Custom subpolicy module definition files as configured by the system administrator.<\/p>\n \/usr\/share\/crypto\u2212policies\/<'POLICYNAME'><\/p>\n Pre\u2212generated back\u2212end configurations for policy POLICYNAME<\/i>.<\/p>\n update\u2212crypto\u2212policies(8), fips\u2212mode\u2212setup(8)<\/p>\n Written by Tom\u00c3\u00a1\u00c5\u00a1 Mr\u00c3\u00a1z.<\/p>\n crypto-policies \u2212 system\u2212wide crypto policies overview <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[971],"tags":[973,1016,972],"class_list":["post-3923","post","type-post","status-publish","format-standard","hentry","category-7-miscelanea","tag-973","tag-crypto-policies","tag-man7"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3923","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=3923"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3923\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=3923"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=3923"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=3923"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
DESCRIPTION<\/a>
COVERED APPLICATIONS<\/a>
PROVIDED POLICY LEVELS<\/a>
CRYPTO POLICY DEFINITON FORMAT<\/a>
COMMANDS<\/a>
NOTES<\/a>
HISTORY<\/a>
FILES<\/a>
SEE ALSO<\/a>
AUTHOR<\/a> <\/p>\n
\nNAME <\/a> <\/h2>\n
DESCRIPTION <\/a> <\/h2>\n
COVERED APPLICATIONS <\/a> <\/h2>\n
PROVIDED POLICY LEVELS <\/a> <\/h2>\n
CRYPTO POLICY DEFINITON FORMAT <\/a> <\/h2>\n
COMMANDS <\/a> <\/h2>\n
NOTES <\/a> <\/h2>\n
HISTORY <\/a> <\/h2>\n
FILES <\/a> <\/h2>\n
SEE ALSO <\/a> <\/h2>\n
AUTHOR <\/a> <\/h2>\n
\n","protected":false},"excerpt":{"rendered":"