update-crypto-policies (8) - Linux Man Pages
update-crypto-policies: manage the policies available to the various cryptographic back-ends.
update-crypto-policies - manage the policies available to the various cryptographic back-ends.
update-crypto-policies(8) is used to set the policy applicable for the various cryptographic back-ends, such as SSL/TLS libraries. That will be the default policy used by these back-ends unless the application user configures them otherwise.
The available policies are restricted to the following three profiles.
- • LEGACY: ensures maximum compatibility with legacy systems (64-bit security)
- • DEFAULT: A reasonable default for today's standards (80-bit security).
- • FUTURE: A level that will provide security on a conservative level that is believed to withstand any near-term future attacks (112-bit security).
The desired system policy is selected in /etc/crypto-profiles/config and this tool will generate the individual policy requirements for all back-ends that support such configuration. After this tool is called the administrator is assured that any application that utilizes the supported back-ends will policy that adheres to the configured profile.
The generated back-end policies will be placed in /etc/crypto-profiles/back-ends. Currently the supported back-ends are:
- • GnuTLS library
- • OpenSSL library
- • BIND
Policies that were present in previously released Fedora systems will be available using the -FXX suffix, where XX is the Fedora version. For example the LEGACY policy in Fedora 21 will also be available as LEGACY-F21.
Applications shipped by Fedora that provide a default configuration file that includes a cryptographic policy string will be modified gradually to support these policies.
When an application provides a configuration file, the changes needed to utilize the system-wide policy are the following.
- • Applications using GnuTLS: The special priority string "@SYSTEM" should replace any other priority string.
- • Applications using OpenSSL: The special cipher string "PROFILE=SYSTEM" should replace any other cipher string.
In all cases if the application isn't using a particular setting, e.g., using gnutls_priority_set_default() in GnuTLS, or no specific cipher string setting in OpenSSL, no other changes are required. The system-wide string will be used automatically.
One of the supported profiles should be set in /etc/crypto-profiles/config and this script should be run afterwards.
- The file contains the current system policy. It should contain a string of one of the profiles listed above (e.g., DEFAULT).
- Contains the generated policies in separated files, and in a format readable by the supported back-ends.
Written by Nikos Mavrogiannopoulos.