Can we assume that people who set up systems or software are experts in their field and they do understand the details of the cryptographic algorithms and everything they set up is safe from attackers? Whether our assumption is right or wrong, it is important that the systems and software are operating under the right cryptographic settings. And what do I mean by right cryptographic settings? The settings that comply with the globally accepted standards, prevent the use of legacy protocols and algorithms. In short, I’m talking about the System-wide crypto policies.
What are crypto policies?
A Crypto policy is a package that configures the core cryptographic subsystems by enabling a set of policies, which the administrator can choose. When a system-wide crypto policy is enabled, the applications and services comply with it and reject protocols and algorithms that do not meet the policy.
Tool – update-crypto-policies
update-crypto-policies
is the command to manage the current system-wide cryptographic policy. The command is installed by the package ‘crypto-policies-scripts
‘ in CentOS Stream 8. However, if you don’t find the package in your OS, then install it as shown below:
Install crypto-policies-scripts
# dnf -y install crypto-policies-scripts
(or)
# yum -y install crypto-policies-scripts
View current system-wide policy
# update-crypto-policies --show DEFAULT
Set/Change system-wide policy
# update-crypto-policies --set FUTURE Setting system policy to FUTURE Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place.
As told in the above output, restart the system to apply the new cryptographic policy.
Type of Cryptographic policies supported
DEFAULT, LEGACY, FUTURE, AND FIPS are the policies you can set using the update-crypto-policies
command. Learn more about crypto-policies here.
Examples of client applications
Now, assume that you had set the system-wide crypto policy to FUTURE
and see how the client applications behave to it.
Use cURL
to access a website that’s using a weak SHA-1 certificate. While the crypto policy is set to FUTURE, cURL should disallow SHA-1 certificate as shown below:
# curl https://sha1-intermediate.badssl.com curl: (60) SSL certificate problem: EE certificate key too weak More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
Trying to SSH to the server with weak ciphers should result in an error as shown below:
# ssh -vv -oCiphers=3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc centos@192.168.141.141 :::::::::::::::::::::::::::::::::::: Unable to negotiate with 192.168.141.141 port 22: no matching cipher found. Their offer: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr
Learn to disable weak key exchange algorithm, CBC Mode in SSH.
With this, we understand that the client and server applications respect the crypto policies set system-wide. It means the administrator need not worry about setting the right cryptographic algorithm and protocol for each application.