| Back | Main view

Configuring crypto policies in Red Hat Enterprise Linux 8 and 9 (and its derivatives)

Product:IMiS/ARChive
Release:Since 10.2.2110
Date:12/19/2022

Case: With Red Hat Enterprise Linux 8, system-wide crypto policy system was introduced which controls several system cryptographic libraries. In this article we describe, how to configure crypto policies for IMiS ARChive server.

Description:

IMIS ARChive extensively uses OpenSSL for various cryptographic operations. Since Red Hat Enterprise Linux 8, OpenSSL in governed by crypto policies and therefore crypto policy settings may cause IMiS ARChive malfunction. Crypto policies are settings files, which are located in '/usr/share/crypto-policies/policies/'. Modules are custom subpolicies, which additionally configures specific policy section. They are located in '/usr/share/crypto-policies/policies/modules/'. Policy customization is available from RHEL 8.2, scoped customization (changing settings only for one cryptographic library or protocol) is available from RHEL 8.5. Policy module names must be in uppercase.

Next example demonstrate default policies and modules in Centos 8.4:

[root@host tmp]# ls -al /usr/share/crypto-policies/policies/
total 20
drwxr-xr-x.  3 root root  109 Sep  7  2021 .
drwxr-xr-x. 10 root root  165 Sep  7  2021 ..
-rw-r--r--.  1 root root 2121 Feb  9  2021 DEFAULT.pol
-rw-r--r--.  1 root root  364 Feb  9  2021 EMPTY.pol
-rw-r--r--.  1 root root 1680 Feb  9  2021 FIPS.pol
-rw-r--r--.  1 root root 2029 Feb  9  2021 FUTURE.pol
-rw-r--r--.  1 root root 2543 Feb  9  2021 LEGACY.pol
drwxr-xr-x.  2 root root  113 Sep  7  2021 modules

[root@host tmp]# ls -al /usr/share/crypto-policies/policies/modules/
total 20
drwxr-xr-x. 2 root root  113 Sep  7  2021 .
drwxr-xr-x. 3 root root  109 Sep  7  2021 ..
-rw-r--r--. 1 root root  288 Feb  9  2021 AD-SUPPORT.pmod
-rw-r--r--. 1 root root  118 Feb  9  2021 ECDHE-ONLY.pmod
-rw-r--r--. 1 root root  246 Feb  9  2021 NO-CAMELLIA.pmod
-rw-r--r--. 1 root root  150 Feb  9  2021 NO-SHA1.pmod
-rw-r--r--. 1 root root 2031 Feb  9  2021 OSPP.pmod

Retrieving current crypto policy setting:

[root@host tmp]# update-crypto-policies --show
DEFAULT

Configuring DEFAULT policy with disabled SHA1 (warning: this may break IMiS ARChive certificate store and all its depended functionalities):

update-crypto-policies --set DEFAULT:NO-SHA1

Content of NO-SHA1.pmod:

# This is example subpolicy dropping the SHA1 hash and signature support

hash = -SHA1

sign = -RSA-PSS-SHA1 -RSA-SHA1 -ECDSA-SHA1

sha1_in_certs = 0

Running IMiS ARChive server on RHEL 9 with DEFAULT crypto policy may result with different errors (certificate store errors, TLS errors ...) if server certificate store contains certificates which uses SHA1 hashing algorithm. SHA1 is by default deprecated on RHEL 9.

Error examples:

12/19/22 16:03:12.836 [iarcd:66008:7f3b69730380] ERR[3] Certificate store failed to initialize. Reason: 'INTERNAL ERROR: Missing index of parent certificate (id = '0').'.
12/19/22 16:04:25.338 [iarcd:66008:7f3ad77fe640] ERR[3] Error occurred while building SSL certificate store. Reason: 'Certificate store is not initialized.'.

To solve this issue, SHA1 must be enabled for OpenSSL. RHEL9 has by default module, called SHA1.pmod, which enables SHA1 for all cryptographic libraries:

[root@host tmp]# ls -al /usr/share/crypto-policies/policies/modules/
total 28
drwxr-xr-x. 2 root root  158 Dec 19 12:10 .
drwxr-xr-x. 3 root root  109 Aug 16 09:53 ..
-rw-r--r--. 1 root root  469 Mar 30  2022 AD-SUPPORT-LEGACY.pmod
-rw-r--r--. 1 root root  283 Mar 30  2022 AD-SUPPORT.pmod
-rw-r--r--. 1 root root  136 Mar 30  2022 ECDHE-ONLY.pmod
-rw-r--r--. 1 root root  123 Mar 30  2022 NO-SHA1.pmod
-rw-r--r--. 1 root root 1986 Mar 30  2022 OSPP.pmod
-rw-r--r--. 1 root root  131 Mar 30  2022 SHA1.pmod

Configuring DEFAULT policy with SHA1 support:

update-crypto-policies --set DEFAULT:SHA1

Custom policy or subpolicy may also be written to limit SHA1 support only for OpenSSL. Next example demonstrates IMIS-SHA1.pmod, which enables SHA1 only for OpenSSL:

# This subpolicy adds SHA1 signature support to OpenSSL

hash@OpenSSL = SHA1+
sign@OpenSSL = ECDSA-SHA1+ RSA-PSS-SHA1+ RSA-SHA1+

Custom policies should be saved in '/etc/crypto-policies/policies', custom subpolicies in '/etc/crypto-policies/policies/modules'. For current example, save IMIS-SHA1.pmod in '/etc/crypto-policies/policies/modules' and activate id with 'update-crypto-policies'.

update-crypto-policies --set DEFAULT:IMIS-SHA1

After policy modification, IMiS ARChive server must be restarted. It is preferably to restart complete system so that policy change will take effect system-wide.

Related Documents:

https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8
https://www.redhat.com/en/blog/how-customize-crypto-policies-rhel-82
https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9
https://archive.fosdem.org/2020/schedule/event/security_custom_crypto_policies/attachments/slides/4089/export/events/attachments/security_custom_crypto_policies/slides/4089/custom_crypto_policies_fosdem.pdf
https://blogs.oracle.com/post/oracle-linux-9-update-1
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
https://man.linuxreviews.org/man7/crypto-policies.7.html

| Back | Main view