| Back | Main view
Configuring crypto policies in Red Hat Enterprise Linux 8 and 9 (and its derivatives)
Product: | IMiS/ARChive |
Release: | Since 10.2.2110 |
Date: | 12/19/2022 |
Case:
With Red Hat Enterprise Linux 8, system-wide crypto policy system was introduced which controls several system cryptographic libraries. In this article we describe, how to configure crypto policies for IMiS ARChive server.
Description:
IMIS ARChive extensively uses OpenSSL for various cryptographic operations. Since Red Hat Enterprise Linux 8, OpenSSL in governed by crypto policies and therefore crypto policy settings may cause IMiS ARChive malfunction. Crypto policies are settings files, which are located in '/usr/share/crypto-policies/policies/'. Modules are custom subpolicies, which additionally configures specific policy section. They are located in '/usr/share/crypto-policies/policies/modules/'. Policy customization is available from RHEL 8.2, scoped customization (changing settings only for one cryptographic library or protocol) is available from RHEL 8.5. Policy module names must be in uppercase.
Next example demonstrate default policies and modules in Centos 8.4:
[root@host tmp]# ls -al /usr/share/crypto-policies/policies/
total 20
drwxr-xr-x. 3 root root 109 Sep 7 2021 .
drwxr-xr-x. 10 root root 165 Sep 7 2021 ..
-rw-r--r--. 1 root root 2121 Feb 9 2021 DEFAULT.pol
-rw-r--r--. 1 root root 364 Feb 9 2021 EMPTY.pol
-rw-r--r--. 1 root root 1680 Feb 9 2021 FIPS.pol
-rw-r--r--. 1 root root 2029 Feb 9 2021 FUTURE.pol
-rw-r--r--. 1 root root 2543 Feb 9 2021 LEGACY.pol
drwxr-xr-x. 2 root root 113 Sep 7 2021 modules
[root@host tmp]# ls -al /usr/share/crypto-policies/policies/modules/
total 20
drwxr-xr-x. 2 root root 113 Sep 7 2021 .
drwxr-xr-x. 3 root root 109 Sep 7 2021 ..
-rw-r--r--. 1 root root 288 Feb 9 2021 AD-SUPPORT.pmod
-rw-r--r--. 1 root root 118 Feb 9 2021 ECDHE-ONLY.pmod
-rw-r--r--. 1 root root 246 Feb 9 2021 NO-CAMELLIA.pmod
-rw-r--r--. 1 root root 150 Feb 9 2021 NO-SHA1.pmod
-rw-r--r--. 1 root root 2031 Feb 9 2021 OSPP.pmod
Retrieving current crypto policy setting:
[root@host tmp]# update-crypto-policies --show
DEFAULT
Configuring DEFAULT policy with disabled SHA1 (warning: this may break IMiS ARChive certificate store and all its depended functionalities):
update-crypto-policies --set DEFAULT:NO-SHA1
Content of NO-SHA1.pmod:
# This is example subpolicy dropping the SHA1 hash and signature support
hash = -SHA1
sign = -RSA-PSS-SHA1 -RSA-SHA1 -ECDSA-SHA1
sha1_in_certs = 0
Running IMiS ARChive server on RHEL 9 with DEFAULT crypto policy may result with different errors (certificate store errors, TLS errors ...) if server certificate store contains certificates which uses SHA1 hashing algorithm. SHA1 is by default deprecated on RHEL 9.
Error examples:
12/19/22 16:03:12.836 [iarcd:66008:7f3b69730380] ERR[3] Certificate store failed to initialize. Reason: 'INTERNAL ERROR: Missing index of parent certificate (id = '0').'.
12/19/22 16:04:25.338 [iarcd:66008:7f3ad77fe640] ERR[3] Error occurred while building SSL certificate store. Reason: 'Certificate store is not initialized.'.
To solve this issue, SHA1 must be enabled for OpenSSL. RHEL9 has by default module, called SHA1.pmod, which enables SHA1 for all cryptographic libraries:
[root@host tmp]# ls -al /usr/share/crypto-policies/policies/modules/
total 28
drwxr-xr-x. 2 root root 158 Dec 19 12:10 .
drwxr-xr-x. 3 root root 109 Aug 16 09:53 ..
-rw-r--r--. 1 root root 469 Mar 30 2022 AD-SUPPORT-LEGACY.pmod
-rw-r--r--. 1 root root 283 Mar 30 2022 AD-SUPPORT.pmod
-rw-r--r--. 1 root root 136 Mar 30 2022 ECDHE-ONLY.pmod
-rw-r--r--. 1 root root 123 Mar 30 2022 NO-SHA1.pmod
-rw-r--r--. 1 root root 1986 Mar 30 2022 OSPP.pmod
-rw-r--r--. 1 root root 131 Mar 30 2022 SHA1.pmod
Configuring DEFAULT policy with SHA1 support:
update-crypto-policies --set DEFAULT:SHA1
Custom policy or subpolicy may also be written to limit SHA1 support only for OpenSSL. Next example demonstrates IMIS-SHA1.pmod, which enables SHA1 only for OpenSSL:
# This subpolicy adds SHA1 signature support to OpenSSL
hash@OpenSSL = SHA1+
sign@OpenSSL = ECDSA-SHA1+ RSA-PSS-SHA1+ RSA-SHA1+
Custom policies should be saved in '/etc/crypto-policies/policies', custom subpolicies in '/etc/crypto-policies/policies/modules'. For current example, save IMIS-SHA1.pmod in '/etc/crypto-policies/policies/modules' and activate id with 'update-crypto-policies'.
update-crypto-policies --set DEFAULT:IMIS-SHA1
After policy modification, IMiS ARChive server must be restarted. It is preferably to restart complete system so that policy change will take effect system-wide.
Related Documents:
https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8
https://www.redhat.com/en/blog/how-customize-crypto-policies-rhel-82
https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9
https://archive.fosdem.org/2020/schedule/event/security_custom_crypto_policies/attachments/slides/4089/export/events/attachments/security_custom_crypto_policies/slides/4089/custom_crypto_policies_fosdem.pdf
https://blogs.oracle.com/post/oracle-linux-9-update-1
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
https://man.linuxreviews.org/man7/crypto-policies.7.html
| Back | Main view