Mixing CentOS/RHEL8 Crypto Policies
Red Hat Enterprise Linux (RHEL) 8 and its open-source derivative CentOS 8 include a facility for setting system-wide cryptographic policies. Red Hat has published a background explanation and basic usage information.
The utility Red Hat provides to set your policy of choice is called
update-crypto-policies. It manages policy choice by maintaining a fleet of symbolic links in the
/etc/crypto-policies/back-ends directory. Here’s what the default setup would look like.
bind.config -> /usr/share/crypto-policies/DEFAULT/bind.txt gnutls.config -> /usr/share/crypto-policies/DEFAULT/gnutls.txt java.config -> /usr/share/crypto-policies/DEFAULT/java.txt krb5.config -> /usr/share/crypto-policies/DEFAULT/krb5.txt libreswan.config -> /usr/share/crypto-policies/DEFAULT/libreswan.txt nss.config -> /usr/share/crypto-policies/DEFAULT/nss.txt openssh.config -> /usr/share/crypto-policies/DEFAULT/openssh.txt opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt openssl.config -> /usr/share/crypto-policies/DEFAULT/openssl.txt opensslcnf.config -> /usr/share/crypto-policies/DEFAULT/opensslcnf.txt
In our environment at work, however, we need a mix-and-match solution. We support several generations of Unix releases, including some older Solaris machines that still perform key duties. Those older machines necessitate exposing some older crypto for general network functions. In particular, a couple SSL-enabled services are limited to now-outdated 1024-bit keys and certificates.
Using the DEFAULT crypto policy, RHEL 8 and CentOS 8 machines will fail when connecting to those services. I had to use the LEGACY setting to allow those connections to succeed.
At the same time, those EL8 machines are able to use the DEFAULT policies for SSH (both client and server); the DEFAULT policies rule out some older crypto that the LEGACY policies still allow.
The problem is that the documentation doesn’t specify a way to mix and match crypto policies. It turns out, you need to use brute force to do so.
What I wanted specifically to do was to use the LEGACY setting for most policies, but use DEFAULT for all SSH client and server operations. As I said, brute force, in this case maually resetting symlinks, was the only solution I could devise. All operations below are run with root privileges.
# set LEGACY policy and reboot update-crypto-policies --set LEGACY systemctl reboot # after system comes back online... pushd /etc/crypto-policies/back-ends # reconfigure SSH client operations using DEFAULT policy rm openssh.config ln -s /usr/share/crypto-policies/DEFAULT/openssh.txt \ openssh.config # reconfigure sshd using DEFAULT policy and restart it rm opensshserver.config ln -s /usr/share/crypto-policies/DEFAULT/opensshserver.txt \ opensshserver.config systemctl restart sshd.service