update-crypto-policies - Man Page

manage the policies available to the various cryptographic back-ends.

Synopsis

update-crypto-policies [COMMAND]

Description

update-crypto-policies(8) is used to set the policy applicable for the various cryptographic back-ends, such as SSL/TLS libraries. The policy aims to control the back-end default algorithm selections unless the application user configures them otherwise.

The available policies are described in the crypto-policies(7) manual page.

The desired system policy is selected in /etc/crypto-policies/config and this tool will generate the individual policy requirements for all back-ends that support such configuration. After this tool is called and all the affected applications are restarted, the administrator is assured that any application that utilizes the supported back-ends will follow the specified policy.

Note that the above assurance does apply to the extent that applications are configured to follow the default policy (the details vary on the back-end, see below for more information).

The generated back-end policies will be placed in /etc/crypto-policies/back-ends. Currently the supported back-ends (and directive scopes they respect) are:

Applications and languages which rely on any of these back-ends will follow the system policies as well. Examples are apache httpd, nginx, php, and others.

In general after changing the system crypto policies with the update-crypto-policies --set command it is recommended to restart the system for the effect to fully take place as the policy configuration files are loaded on application start-up. Otherwise applications started before the command was run need to be restarted to load the updated configuration.

Commands

The following commands are available in update-crypto-policies tool.

Options

The following options are available in update-crypto-policies tool.

Application Support

Applications in the operating system that provide a default configuration file that includes a cryptographic policy string will be modified gradually to support these policies.

When an application provides a configuration file, the changes needed to utilize the system-wide policy are the following.

Policy Configuration

One of the supported policies should be set in /etc/crypto-policies/config and this script should be run afterwards.

In case of a parsing error no policies will be updated.

Custom Policies

The custom policies can take two forms. First form is a full custom policy file which is supported by the update-crypto-policies tool in the same way as the policies shipped along the tool in the package.

The second form can be called a subpolicy or policy modifier. This form modifies aspects of any base policy file by removing or adding algorithms or protocols. The subpolicies can be appended on the update-crypto-policies --set command line to the base policy separated by the : character. There can be multiple subpolicies appended. The resulting configuration is the same as if the policy and subpolicies were concatenated together.

Let’s suppose we have subpolicy NO-SHA1 that drops support for SHA1 hash and subpolicy GOST that enables support for the various algorithms specified in Russian GOST standards. You can set the DEFAULT policy with disabled SHA1 support and enabled GOST support by running the following command:

update-crypto-policies --set DEFAULT:NO-SHA1:GOST

This command generates and applies configuration that will be modification of the DEFAULT policy with changes specified in the NO-SHA1 and GOST subpolicies.

Files

/etc/crypto-policies/config

The file contains the system policy to be applied when update-crypto-policies is run without any arguments. It should contain a string of one of the policies listed in the crypto-policies(7) page (e.g., DEFAULT) or any custom policy name with subpolicies separated by the : character. The file is overwritten when update-crypto-policies --set is executed.

/etc/crypto-policies/back-ends

Contains the generated policies in separated files, and in a format readable by the supported back ends.

/etc/crypto-policies/local.d

Contains additional files to be appended to the generated policy files. The files present must adhere to $app-XXX.config file naming, where XXX is any arbitrary identifier. For example, to append a line to GnuTLS' generated policy, create a gnutls-extra-line.config file in local.d. This will be appended to the generated gnutls.config during update-crypto-policies. Please note that because the mechanism just appends a line to the back-end configuration the effect varies among the back-ends. For some of the back-ends the override fully replaces the original policy and for other back-ends the override might not be effective at all.

/etc/crypto-policies/state/current

The file contains the current system policy name with eventual subpolicies as of the last execution of the update-crypto-policies command.

/etc/crypto-policies/state/CURRENT.pol

The file contains the current system policy definition with all the modifications from eventual subpolicies applied and is written when the update-crypto-policies command is executed.

See Also

crypto-policies(7), fips-mode-setup(8)

Author

Written by Nikos Mavrogiannopoulos.

Referenced By

crypto-policies(7), fips-mode-setup(8), gsissh_config(5), gsisshd_config(5), openssl-ciphers.1ossl(1), ssh_config(5), sshd_config(5), vsftpd.conf(5).

11/28/2024