Mixing CentOS/RHEL8 Crypto Policies

By Paul Heinlein | Nov 14, 2019

Red Hat Enterprise Linux (RHEL) 8 and its open-source derivative CentOS 8 include a facility for setting system-wide cryptographic policies. Red Hat has published a background explanation and basic usage information.

The utility Red Hat provides to set your policy of choice is called update-crypto-policies. It manages policy choice by maintaining a fleet of symbolic links in the /etc/crypto-policies/back-ends directory. Here's what the default setup would look like.

bind.config -> /usr/share/crypto-policies/DEFAULT/bind.txt
gnutls.config -> /usr/share/crypto-policies/DEFAULT/gnutls.txt
java.config -> /usr/share/crypto-policies/DEFAULT/java.txt
krb5.config -> /usr/share/crypto-policies/DEFAULT/krb5.txt
libreswan.config -> /usr/share/crypto-policies/DEFAULT/libreswan.txt
nss.config -> /usr/share/crypto-policies/DEFAULT/nss.txt
openssh.config -> /usr/share/crypto-policies/DEFAULT/openssh.txt
opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt
openssl.config -> /usr/share/crypto-policies/DEFAULT/openssl.txt
opensslcnf.config -> /usr/share/crypto-policies/DEFAULT/opensslcnf.txt

In our environment at work, however, we need a mix-and-match solution. We support several generations of Unix releases, including some older Solaris machines that still perform key duties. Those older machines necessitate exposing some older crypto for general network functions. In particular, a couple SSL-enabled services are limited to now-outdated 1024-bit keys and certificates.

Using the DEFAULT crypto policy, RHEL 8 and CentOS 8 machines will fail when connecting to those services. I had to use the LEGACY setting to allow those connections to succeed.

At the same time, those EL8 machines are able to use the DEFAULT policies for SSH (both client and server); the DEFAULT policies rule out some older crypto that the LEGACY policies still allow.

The problem is that the documentation doesn't specify a way to mix and match crypto policies. It turns out, you need to use brute force to do so.

What I wanted specifically to do was to use the LEGACY setting for most policies, but use DEFAULT for all SSH client and server operations. As I said, brute force, in this case maually resetting symlinks, was the only solution I could devise. All operations below are run with root privileges.

# set LEGACY policy and reboot
update-crypto-policies --set LEGACY
systemctl reboot

# after system comes back online...
pushd /etc/crypto-policies/back-ends

# reconfigure SSH client operations using DEFAULT policy
rm openssh.config
ln -s /usr/share/crypto-policies/DEFAULT/openssh.txt \

# reconfigure sshd using DEFAULT policy and restart it
rm opensshserver.config
ln -s /usr/share/crypto-policies/DEFAULT/opensshserver.txt \
systemctl restart sshd.service