In order to unify the cryptographic policies as used by different applications and libraries we have introduced the crypto-policies package in Tumbleweed. This package allows to set the cryptographic security level for all applications that use a cryptographic back-end supported by the policies. For now, only OpenSSL, GnuTLS, Apache2, Java/OpenJDK, Stunnel and perl-IO-Socket-SSL follow these policies but more libraries and applications will be added gradually. Note that, the crypto-policies support was added to Tumbleweed since snapshot 20201216.
Predefined security levels
The main idea is having four predefined security levels that an administrator can configure by modifying /etc/crypto-policies/config or by using the update-crypto-policies script. These groups of policies are LEGACY, DEFAULT, NEXT, FUTURE, FIPS and EMPTY which have the following details:
* LEGACY MACs: All HMAC with SHA-1 or better + all modern MACs (Poly1305, ...) Curves: All prime >= 256 bits (including Bernstein curves) Signature algorithms: SHA-1 hash or better (DSA allowed) TLS Ciphers: All available >= 112-bit key, >= 128-bit block (including RC4 and 3DES) Non-TLS Ciphers: Same as TLS ciphers with added Camellia key exchange: ECDHE, RSA, DHE DH params size: >= 1024 RSA params size: >= 1024 DSA params size: >= 1024 TLS protocols: TLS >= 1.0, DTLS >= 1.0
* DEFAULT MACs: All HMAC with SHA-1 or better + all modern MACs (Poly1305, ...) Curves: All prime >= 256 bits (including Bernstein curves) Signature algorithms: With SHA-256 hash or better (not DSA) TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20, including AES-CBC) non-TLS Ciphers: Same as TLS Ciphers with added Camellia key exchange: ECDHE, RSA, DHE (no DHE-DSS) DH params size: >= 2048 RSA params size: >= 2048 DSA params size: >= 2048 TLS protocols: TLS >= 1.2, DTLS >= 1.2
* NEXT The NEXT policy is just an alias to the DEFAULT policy.
* FUTURE MACs: All HMAC with SHA-256 or better + all modern MACs (Poly1305, ...) Curves: All prime >= 256 bits (including Bernstein curves) Signature algorithms: SHA-256 hash or better (no DSA) TLS Ciphers: >= 256-bit key, >= 128-bit block, only Authenticated Encryption (AE) ciphers non-TLS Ciphers: Same as TLS ciphers with added non AE ciphers and Camellia key exchange: ECDHE, DHE (no DHE-DSS) DH params size: >= 3072 RSA params size: >= 3072 DSA params size: >= 3072 TLS protocols: TLS >= 1.2, DTLS >= 1.2
* FIPS MACs: All HMAC with SHA-1 or better Curves: All prime >= 256 bits (including Bernstein curves) Signature algorithms: SHA-224 hash or better (no DSA) TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, including AES-CBC) non-TLS Ciphers: Same as TLS ciphers key exchange: ECDHE, RSA, DHE (no DHE-DSS) DH params size: >= 2048 RSA params size: >= 2048 DSA params size: >= 2048 TLS protocols: TLS >= 1.2, DTLS >= 1.2
* EMPTY All cryptographic algorithms are disabled (used for debugging only, do not use).
These policies can also change over time together with the security of the cryptographic components. Having crypto-policies allows to easily handle the deprecation of algorithms or protocols system-wide and in a transparent manner.
On a fresh install of the crypto-policies package, the DEFAULT policy is set as the default policy. The actual policy in use can be checked with the update-crypto-policies command:
Some policies could break applications that connect to servers which use weak cryptographic algorithms. If this occurs, you could use the LEGACY policy level until resolved by using update-crypto-policies:
update-crypto-policies --set LEGACY
If we notice significant user experience degradation, e.g., due to many custom servers utilizing legacy protocols, we will consider postponing that change or adapt that policy.
Create a new policy
Defining a new policy from scratch requires to create a file named <POLICY>.pol, where the name must be in uppercase and without spaces. This file must be located in the /etc/crypto-policies/policies folder or in /usr/share/crypto-policies/policies. As shown before, the newly created policy can be applied with:
update-crypto-policies --set <POLICY>
As examples of policies, see the .pol files in /usr/share/crypto-policies/policies/.
Modify existing cryptographic policies
The cryptographic policies can be set with policy modifiers to adjust certain algorithms or protocols. Modifying an existing policy can be done via policy modifier modules. These policy modifiers are text files, with extension .pmod, that include the modifications. The name of the modifier module must be <MODULE>.pmod, where <MODULE> is the name of the modifier in uppercase and without spaces. These files must be located in the /etc/crypto-policies/policies/modules folder, or in the /usr/share/crypto-policies/policies/modules folder if they come pre-installed).
For example, to disable SHA-1 hash, the modifier module /usr/share/crypto-policies/policies/modules/NO-SHA1.pmod contains:
hash = -SHA1 sign = -RSA-PSS-SHA1 -RSA-SHA1 -ECDSA-SHA1
And, the newly customized policy can be applied with:
update-crypto-policies --set DEFAULT:NO-SHA1
Enforcing system crypto-policies
To follow the crypto-policies, some application's configuration file or compilation option should set a system default option. That is, for example, for applications that use OpenSSL or GnuTLS a priority string or cipher named "SYSTEM" is used. Then, the shipped library will make sure that, once the "SYSTEM" option is encountered the pre-configured system settings will be applied. When an application doesn't specify any default settings the system settings should apply.
For example, for OpenSSL and GnuTLS this is:
* OpenSSL: The cipher string "PROFILE=SYSTEM" will be used to specify the system ciphers. Any applications not explicitly specifying ciphers will use the system ciphers.
* GnuTLS: The "@SYSTEM" priority string will be used to specify the system ciphers. Any applications using gnutls_set_default_priority() will also use the system ciphers.
We have carefully reviewed the packages that depend on OpenSSL and GnuTLS. Please, report back to us if you find any inconsistency by opening a bug report in openSUSE bugzilla.
The extension of crypto-policies support for the rest of the packages is tracked in boo#1211301. The remaining packages that need adaption are:
* mozilla-nss * krb5 * bind * openssh * libssh
Enable the Kernel FIPS mode
The fips-mode-setup command can be used to enable the kernel FIPS mode which also sets the system policy to FIPS:
# fips-mode-setup --enable Setting system policy to FIPS FIPS mode will be enabled. [...] Please reboot the system for the setting to take effect.
After a reboot, the fips mode can be verified with the following command:
# sysctl -a | grep fips crypto.fips_enabled = 1
Similarly, to disable the FIPS mode:
# fips-mode-setup --disable Setting system policy to DEFAULT FIPS mode will be disabled. [...] Please reboot the system for the setting to take effect.
Please, note that at this moment there is a bug in OpenSSH that prevents SSH access in FIPS mode.
Documentation and upstream project
For more information, please refer to the following man pages:
man 7 crypto-policies man 8 update-crypto-policies man 8 fips-mode-setup man 8 fips-finish-install