Chapter 3. Using system-wide cryptographic policies
The system-wide cryptographic policies is a system component that configures the core cryptographic subsystems, covering the TLS, IPsec, SSH, DNSSec, and Kerberos protocols. It provides a small set of policies, which the administrator can select.
3.1. System-wide cryptographic policies
When a system-wide policy is set up, applications in RHEL follow it and refuse to use algorithms and protocols that do not meet the policy, unless you explicitly request the application to do so. That is, the policy applies to the default behavior of applications when running with the system-provided configuration but you can override it if required.
RHEL 9 contains the following predefined policies:
DEFAULT
- The default system-wide cryptographic policy level offers secure settings for current threat models. It allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if they are at least 2048 bits long.
LEGACY
- Ensures maximum compatibility with Red Hat Enterprise Linux 6 and earlier; it is less secure due to an increased attack surface. SHA-1 is allowed to be used as TLS hash, signature, and algorithm. CBC-mode ciphers are allowed to be used with SSH. Applications using GnuTLS allow certificates signed with SHA-1. It allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if they are at least 2048 bits long.
FUTURE
- A stricter forward-looking security level intended for testing a possible future policy. This policy does not allow the use of SHA-1 in DNSSec or as an HMAC. SHA2-224 and SHA3-224 hashes are rejected. 128-bit ciphers are disabled. CBC-mode ciphers are disabled except in Kerberos. It allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if they are at least 3072 bits long. If your system communicates on the public internet, you might face interoperability problems.
FIPS
Conforms with the FIPS 140 requirements. The
fips-mode-setup
tool, which switches the RHEL system into FIPS mode, uses this policy internally. Switching to theFIPS
policy does not guarantee compliance with the FIPS 140 standard. You also must re-generate all cryptographic keys after you set the system to FIPS mode. This is not possible in many scenarios.RHEL also provides the
FIPS:OSPP
system-wide subpolicy, which contains further restrictions for cryptographic algorithms required by the Common Criteria (CC) certification. The system becomes less interoperable after you set this subpolicy. For example, you cannot use RSA and DH keys shorter than 3072 bits, additional SSH algorithms, and several TLS groups. SettingFIPS:OSPP
also prevents connecting to Red Hat Content Delivery Network (CDN) structure. Furthermore, you cannot integrate Active Directory (AD) into the IdM deployments that useFIPS:OSPP
, communication between RHEL hosts usingFIPS:OSPP
and AD domains might not work, or some AD accounts might not be able to authenticate.Note that your system is not CC-compliant after you set the
FIPS:OSPP
cryptographic subpolicy. The only correct way to make your RHEL system compliant with the CC standard is through the installation of thecc-config
package. See the Common Criteria section in the Compliance Activities and Government Standards Knowledgebase article for a list of certified RHEL versions, validation reports, and links to CC guides.
Red Hat continuously adjusts all policy levels so that all libraries provide secure defaults, except when using the LEGACY
policy. Even though the LEGACY
profile does not provide secure defaults, it does not include any algorithms that are easily exploitable. As such, the set of enabled algorithms or acceptable key sizes in any provided policy may change during the lifetime of Red Hat Enterprise Linux.
Such changes reflect new security standards and new security research. If you must ensure interoperability with a specific system for the whole lifetime of Red Hat Enterprise Linux, you should opt-out from the system-wide cryptographic policies for components that interact with that system or re-enable specific algorithms using custom cryptographic policies.
Because a cryptographic key used by a certificate on the Customer Portal API does not meet the requirements by the FUTURE
system-wide cryptographic policy, the redhat-support-tool
utility does not work with this policy level at the moment.
To work around this problem, use the DEFAULT
cryptographic policy while connecting to the Customer Portal API.
The specific algorithms and ciphers described as allowed in the policy levels are available only if an application supports them.
Tool for managing the cryptographic policies
To view or change the current system-wide cryptographic policy, use the update-crypto-policies
tool, for example:
$ update-crypto-policies --show DEFAULT # update-crypto-policies --set FUTURE Setting system policy to FUTURE
To ensure that the change of the cryptographic policy is applied, restart the system.
Strong cryptographic defaults by removing insecure cipher suites and protocols
The following list contains cipher suites and protocols removed from the core cryptographic libraries in RHEL. Because they are not present in the sources, or their support is disabled during the build, applications cannot use them.
- DES (since RHEL 7)
- All export grade cipher suites (since RHEL 7)
- MD5 in signatures (since RHEL 7)
- SSLv2 (since RHEL 7)
- SSLv3 (since RHEL 8)
- All ECC curves < 224 bits (since RHEL 6)
- All binary field ECC curves (since RHEL 6)
Algorithms disabled in all policy levels
The following algorithms are disabled in LEGACY
, DEFAULT
, FUTURE
, and FIPS
cryptographic policies included in RHEL 9. They can be enabled only by applying a custom cryptographic policy or by an explicit configuration of individual applications, but the resulting configuration falls outside of the Production Support Scope of Coverage.
- TLS older than version 1.2 (since RHEL 9, was < 1.0 in RHEL 8)
- DTLS older than version 1.2 (since RHEL 9, was < 1.0 in RHEL 8)
- DH with parameters < 2048 bits (since RHEL 9, was < 1024 bits in RHEL 8)
- RSA with key size < 2048 bits (since RHEL 9, was < 1024 bits in RHEL 8)
- DSA (since RHEL 9, was < 1024 bits in RHEL 8)
- 3DES (since RHEL 9)
- RC4 (since RHEL 9)
- FFDHE-1024 (since RHEL 9)
- DHE-DSS (since RHEL 9)
- Camellia (since RHEL 9)
- ARIA
- IKEv1 (since RHEL 8)
Algorithms enabled in the cryptographic policies
Each cryptographic policy enables specific cipher suites and protocols:
LEGACY | DEFAULT | FIPS | FUTURE | |
---|---|---|---|---|
IKEv1 | no | no | no | no |
3DES | no | no | no | no |
RC4 | no | no | no | no |
DH | min. 2048-bit | min. 2048-bit | min. 2048-bit | min. 3072-bit |
RSA | min. 2048-bit | min. 2048-bit | min. 2048-bit | min. 3072-bit |
DSA | no | no | no | no |
TLS v1.1 and older | no | no | no | no |
TLS v1.2 and newer | yes | yes | yes | yes |
SHA-1 in digital signatures and certificates | yes | no | no | no |
CBC mode ciphers | yes | no[a] | no[b] | no[c] |
Symmetric ciphers with keys < 256 bits | yes | yes | yes | no |
[a]
CBC ciphers are disabled for SSH
[b]
CBC ciphers are disabled for all protocols except Kerberos
[c]
CBC ciphers are disabled for all protocols except Kerberos
|
Additional resources
-
update-crypto-policies(8)
man page
3.2. Switching the system-wide cryptographic policy to mode compatible with earlier releases
The default system-wide cryptographic policy in Red Hat Enterprise Linux 9 does not allow communication using older, insecure protocols. For environments that require to be compatible with Red Hat Enterprise Linux 6 and in some cases also with earlier releases, the less secure LEGACY
policy level is available.
Switching to the LEGACY
policy level results in a less secure system and applications.
Procedure
To switch the system-wide cryptographic policy to the
LEGACY
level, enter the following command asroot
:# update-crypto-policies --set LEGACY Setting system policy to LEGACY
Additional resources
-
For the list of available cryptographic policy levels, see the
update-crypto-policies(8)
man page. -
For defining custom cryptographic policies, see the
Custom Policies
section in theupdate-crypto-policies(8)
man page and theCrypto Policy Definition Format
section in thecrypto-policies(7)
man page.
3.3. Setting up system-wide cryptographic policies in the web console
You can set one of system-wide cryptographic policies and subpolicies directly in the RHEL web console interface. Besides the four predefined system-wide cryptographic policies, you can also apply the following combinations of policies and subpolicies through the graphical interface now:
DEFAULT:SHA1
-
The
DEFAULT
policy with theSHA-1
algorithm enabled. LEGACY:AD-SUPPORT
-
The
LEGACY
policy with less secure settings that improve interoperability for Active Directory services. FIPS:OSPP
-
The
FIPS
policy with further restrictions required by the Common Criteria for Information Technology Security Evaluation standard.
Because the FIPS:OSPP
system-wide subpolicy contains further restrictions for cryptographic algorithms required by the Common Criteria (CC) certification, the system is less interoperable after you set it. For example, you cannot use RSA and DH keys shorter than 3072 bits, additional SSH algorithms, and several TLS groups. Setting FIPS:OSPP
also prevents connecting to Red Hat Content Delivery Network (CDN) structure. Furthermore, you cannot integrate Active Directory (AD) into the IdM deployments that use FIPS:OSPP
, communication between RHEL hosts using FIPS:OSPP
and AD domains might not work, or some AD accounts might not be able to authenticate.
Note that your system is not CC-compliant after you set the FIPS:OSPP
cryptographic subpolicy. The only correct way to make your RHEL system compliant with the CC standard is through the installation of the cc-config
package. See the Common Criteria section in the Compliance Activities and Government Standards Knowledgebase article for a list of certified RHEL versions, validation reports, and links to CC guides hosted at the National Information Assurance Partnership (NIAP) website.
Prerequisites
- The RHEL 9 web console has been installed. For details, see Installing and enabling the web console.
-
You have
root
privileges or permissions to enter administrative commands withsudo
.
Procedure
- Log in to the web console. For more information, see Logging in to the web console.
In the Configuration card of the Overview page, click your current policy value next to Crypto policy.
In the Change crypto policy dialog window, click on the policy you want to start using on your system.
- Click the button.
Verification
-
After the restart, log back in to web console, and check that the Crypto policy value corresponds to the one you selected. Alternatively, you can enter the
update-crypto-policies --show
command to display the current system-wide cryptographic policy in your terminal.
3.4. Switching the system to FIPS mode
The system-wide cryptographic policies contain a policy level that enables cryptographic algorithms in accordance with the requirements by the Federal Information Processing Standard (FIPS) Publication 140. The fips-mode-setup
tool that enables or disables FIPS mode internally uses the FIPS
system-wide cryptographic policy.
Switching the system to FIPS mode by using the FIPS
system-wide cryptographic policy does not guarantee compliance with the FIPS 140 standard. Re-generating all cryptographic keys after setting the system to FIPS mode may not be possible. For example, in the case of an existing IdM realm with users' cryptographic keys you cannot re-generate all the keys.
The fips-mode-setup
tool uses the FIPS
policy internally. But on top of what the update-crypto-policies
command with the --set FIPS
option does, fips-mode-setup
ensures the installation of the FIPS dracut module by using the fips-finish-install
tool, it also adds the fips=1
boot option to the kernel command line and regenerates the initial RAM disk.
Only enabling FIPS mode during the RHEL installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
After you complete the setup of FIPS mode, you cannot switch off FIPS mode without putting the system into an inconsistent state. If your scenario requires this change, the only correct way is a complete re-installation of the system.
The cryptographic modules of RHEL 9 are not yet certified for the FIPS 140-3 requirements.
Procedure
To switch the system to FIPS mode:
# fips-mode-setup --enable Kernel initramdisks are being regenerated. This might take some time. Setting system policy to FIPS Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. FIPS mode will be enabled. Please reboot the system for the setting to take effect.
Restart your system to allow the kernel to switch to FIPS mode:
# reboot
Verification
After the restart, you can check the current state of FIPS mode:
# fips-mode-setup --check FIPS mode is enabled.
Additional resources
-
fips-mode-setup(8)
man page - Installing the system in FIPS mode
- Security Requirements for Cryptographic Modules on the National Institute of Standards and Technology (NIST) web site.
3.5. Enabling FIPS mode in a container
To enable the full set of cryptographic module self-checks mandated by the Federal Information Processing Standard Publication 140-2 (FIPS mode), the host system kernel must be running in FIPS mode. The podman
utility automatically enables FIPS mode on supported containers.
The fips-mode-setup
command does not work correctly in containers, and it cannot be used to enable or check FIPS mode in this scenario.
The cryptographic modules of RHEL 9 are not yet certified for the FIPS 140-3 requirements.
Prerequisites
- The host system must be in FIPS mode.
Procedure
-
On systems with FIPS mode enabled, the
podman
utility automatically enables FIPS mode on supported containers.
Additional resources
3.6. List of RHEL applications using cryptography that is not compliant with FIPS 140-3
To pass all relevant cryptographic certifications, such as FIPS 140-3, use libraries from the core cryptographic components set. These libraries, except from libgcrypt
, also follow the RHEL system-wide cryptographic policies.
See the RHEL core cryptographic components article for an overview of the core cryptographic components, the information on how are they selected, how are they integrated into the operating system, how do they support hardware security modules and smart cards, and how do cryptographic certifications apply to them.
List of RHEL 9 applications using cryptography that is not compliant with FIPS 140-3
- Bacula
- Implements the CRAM-MD5 authentication protocol.
- Cyrus SASL
- Uses the SCRAM-SHA-1 authentication method.
- Dovecot
- Uses SCRAM-SHA-1.
- Emacs
- Uses SCRAM-SHA-1.
- FreeRADIUS
- Uses MD5 and SHA-1 for authentication protocols.
- Ghostscript
- Custom cryptography implementation (MD5, RC4, SHA-2, AES) to encrypt and decrypt documents.
- GRUB2
-
Supports legacy firmware protocols requiring SHA-1 and includes the
libgcrypt
library. - iPXE
- Implements TLS stack.
- Kerberos
- Preserves support for SHA-1 (interoperability with Windows).
- Lasso
-
The
lasso_wsse_username_token_derive_key()
key derivation function (KDF) uses SHA-1. - MariaDB, MariaDB Connector
-
The
mysql_native_password
authentication plugin uses SHA-1. - MySQL
-
mysql_native_password
uses SHA-1. - OpenIPMI
- The RAKP-HMAC-MD5 authentication method is not approved for FIPS usage and does not work in FIPS mode.
- Ovmf (UEFI firmware), Edk2, shim
- Full cryptographic stack (an embedded copy of the OpenSSL library).
- Perl
- Uses HMAC, HMAC-SHA1, HMAC-MD5, SHA-1, SHA-224,….
- Pidgin
- Implements DES and RC4 ciphers.
- PKCS #12 file processing (OpenSSL, GnuTLS, NSS, Firefox, Java)
- All uses of PKCS #12 are not FIPS-compliant, because the Key Derivation Function (KDF) used for calculating the whole-file HMAC is not FIPS-approved. As such, PKCS #12 files are considered to be plain text for the purposes of FIPS compliance. For key-transport purposes, wrap PKCS #12 (.p12) files using a FIPS-approved encryption scheme.
- Poppler
- Can save PDFs with signatures, passwords, and encryption based on non-allowed algorithms if they are present in the original PDF (for example MD5, RC4, and SHA-1).
- PostgreSQL
- Implements Blowfish, DES, and MD5. A KDF uses SHA-1.
- QAT Engine
- Mixed hardware and software implementation of cryptographic primitives (RSA, EC, DH, AES,…)
- Ruby
- Provides insecure MD5 and SHA-1 library functions.
- Samba
- Preserves support for RC4 and DES (interoperability with Windows).
- Syslinux
- BIOS passwords use SHA-1.
- Unbound
- DNS specification requires that DNSSEC resolvers use a SHA-1-based algorithm in DNSKEY records for validation.
- Valgrind
- AES, SHA hashes.[2]
- zip
- Custom cryptography implementation (insecure PKWARE encryption algorithm) to encrypt and decrypt archives using a password.
Additional resources
- FIPS 140-2 and FIPS 140-3 section in the Compliance Activities and Government Standards Knowledgebase article
- RHEL core cryptographic components Knowledgebase article
3.7. Excluding an application from following system-wide crypto policies
You can customize cryptographic settings used by your application preferably by configuring supported cipher suites and protocols directly in the application.
You can also remove a symlink related to your application from the /etc/crypto-policies/back-ends
directory and replace it with your customized cryptographic settings. This configuration prevents the use of system-wide cryptographic policies for applications that use the excluded back end. Furthermore, this modification is not supported by Red Hat.
3.7.1. Examples of opting out of system-wide crypto policies
wget
To customize cryptographic settings used by the wget
network downloader, use --secure-protocol
and --ciphers
options. For example:
$ wget --secure-protocol=TLSv1_1 --ciphers="SECURE128" https://example.com
See the HTTPS (SSL/TLS) Options section of the wget(1)
man page for more information.
curl
To specify ciphers used by the curl
tool, use the --ciphers
option and provide a colon-separated list of ciphers as a value. For example:
$ curl https://example.com --ciphers '@SECLEVEL=0:DES-CBC3-SHA:RSA-DES-CBC3-SHA'
See the curl(1)
man page for more information.
Firefox
Even though you cannot opt out of system-wide cryptographic policies in the Firefox
web browser, you can further restrict supported ciphers and TLS versions in Firefox’s Configuration Editor. Type about:config
in the address bar and change the value of the security.tls.version.min
option as required. Setting security.tls.version.min
to 1
allows TLS 1.0 as the minimum required, security.tls.version.min 2
enables TLS 1.1, and so on.
OpenSSH
To opt out of the system-wide cryptographic policies for your OpenSSH server, specify the cryptographic policy in a drop-in configuration file located in the /etc/ssh/sshd_config.d/
directory, with a two-digit number prefix smaller than 50, so that it lexicographically precedes the 50-redhat.conf
file, and with a .conf
suffix, for example, 49-crypto-policy-override.conf
.
See the sshd_config(5)
man page for more information.
To opt out of system-wide cryptographic policies for your OpenSSH client, perform one of the following tasks:
-
For a given user, override the global
ssh_config
with a user-specific configuration in the~/.ssh/config
file. -
For the entire system, specify the cryptographic policy in a drop-in configuration file located in the
/etc/ssh/ssh_config.d/
directory, with a two-digit number prefix smaller than 50, so that it lexicographically precedes the50-redhat.conf
file, and with a.conf
suffix, for example,49-crypto-policy-override.conf
.
See the ssh_config(5)
man page for more information.
Libreswan
See the Configuring IPsec connections that opt out of the system-wide crypto policies in the Securing networks document for detailed information.
Additional resources
-
update-crypto-policies(8)
man page
3.8. Customizing system-wide cryptographic policies with subpolicies
Use this procedure to adjust the set of enabled cryptographic algorithms or protocols.
You can either apply custom subpolicies on top of an existing system-wide cryptographic policy or define such a policy from scratch.
The concept of scoped policies allows enabling different sets of algorithms for different back ends. You can limit each configuration directive to specific protocols, libraries, or services.
Furthermore, directives can use asterisks for specifying multiple values using wildcards.
The /etc/crypto-policies/state/CURRENT.pol
file lists all settings in the currently applied system-wide cryptographic policy after wildcard expansion. To make your cryptographic policy more strict, consider using values listed in the /usr/share/crypto-policies/policies/FUTURE.pol
file.
You can find example subpolicies in the /usr/share/crypto-policies/policies/modules/
directory. The subpolicy files in this directory contain also descriptions in lines that are commented out.
Procedure
Checkout to the
/etc/crypto-policies/policies/modules/
directory:# cd /etc/crypto-policies/policies/modules/
Create subpolicies for your adjustments, for example:
# touch MYCRYPTO-1.pmod # touch SCOPES-AND-WILDCARDS.pmod
ImportantUse upper-case letters in file names of policy modules.
Open the policy modules in a text editor of your choice and insert options that modify the system-wide cryptographic policy, for example:
# vi MYCRYPTO-1.pmod
min_rsa_size = 3072 hash = SHA2-384 SHA2-512 SHA3-384 SHA3-512
# vi SCOPES-AND-WILDCARDS.pmod
# Disable the AES-128 cipher, all modes cipher = -AES-128-* # Disable CHACHA20-POLY1305 for the TLS protocol (OpenSSL, GnuTLS, NSS, and OpenJDK) cipher@TLS = -CHACHA20-POLY1305 # Allow using the FFDHE-1024 group with the SSH protocol (libssh and OpenSSH) group@SSH = FFDHE-1024+ # Disable all CBC mode ciphers for the SSH protocol (libssh and OpenSSH) cipher@SSH = -*-CBC # Allow the AES-256-CBC cipher in applications using libssh cipher@libssh = AES-256-CBC+
- Save the changes in the module files.
Apply your policy adjustments to the
DEFAULT
system-wide cryptographic policy level:# update-crypto-policies --set DEFAULT:MYCRYPTO-1:SCOPES-AND-WILDCARDS
To make your cryptographic settings effective for already running services and applications, restart the system:
# reboot
Verification
Check that the
/etc/crypto-policies/state/CURRENT.pol
file contains your changes, for example:$ cat /etc/crypto-policies/state/CURRENT.pol | grep rsa_size min_rsa_size = 3072
Additional resources
-
Custom Policies
section in theupdate-crypto-policies(8)
man page -
Crypto Policy Definition Format
section in thecrypto-policies(7)
man page - How to customize crypto policies in RHEL 8.2 Red Hat blog article
3.9. Re-enabling SHA-1
The use of the SHA-1 algorithm for creating and verifying signatures is restricted in the DEFAULT
cryptographic policy. If your scenario requires the use of SHA-1 for verifying existing or third-party cryptographic signatures, you can enable it by applying the SHA1
subpolicy, which RHEL 9 provides by default. Note that it weakens the security of the system.
Prerequisites
-
The system uses the
DEFAULT
system-wide cryptographic policy.
Procedure
Apply the
SHA1
subpolicy to theDEFAULT
cryptographic policy:# update-crypto-policies --set DEFAULT:SHA1 Setting system policy to DEFAULT:SHA1 Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place.
Restart the system:
# reboot
Verification
Display the current cryptographic policy:
# update-crypto-policies --show DEFAULT:SHA1
Switching to the LEGACY
cryptographic policy by using the update-crypto-policies --set LEGACY
command also enables SHA-1 for signatures. However, the LEGACY
cryptographic policy makes your system much more vulnerable by also enabling other weak cryptographic algorithms. Use this workaround only for scenarios that require the enablement of other legacy cryptographic algorithms than SHA-1 signatures.
Additional resources
3.10. Creating and setting a custom system-wide cryptographic policy
The following steps demonstrate customizing the system-wide cryptographic policies by a complete policy file.
Procedure
Create a policy file for your customizations:
# cd /etc/crypto-policies/policies/ # touch MYPOLICY.pol
Alternatively, start by copying one of the four predefined policy levels:
# cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/MYPOLICY.pol
Edit the file with your custom cryptographic policy in a text editor of your choice to fit your requirements, for example:
# vi /etc/crypto-policies/policies/MYPOLICY.pol
Switch the system-wide cryptographic policy to your custom level:
# update-crypto-policies --set MYPOLICY
To make your cryptographic settings effective for already running services and applications, restart the system:
# reboot
Additional resources
-
Custom Policies
section in theupdate-crypto-policies(8)
man page and theCrypto Policy Definition Format
section in thecrypto-policies(7)
man page - How to customize crypto policies in RHEL Red Hat blog article