How to disable specific crypto algorithms when using system-wide cryptographic policies
This articles explains how to disable some specific algorithms and verify that the algorithms are effectively disabled.
See also article System-wide cryptographic policies in RHEL.
NOTE: For detailed and up-to-date information about crypto-policies see the following product documentation:
- RHEL 8 Security hardening: Using system-wide cryptographic policies
- RHEL 9 Security hardening: Using system-wide cryptographic policies
Important note: using openssl cipher command to confirm the changes will provide false-positive, because the command doesn't rely on the runtime configuration.
Before applying modifications, please verify whether the modifications are necessary or not, through checking the verifiers.
For demonstration purposes, we assume the reader wants to disable SHA-1 signatures and CBC ciphers globally and the current policy is set to DEFAULT.
Disabling SHA-1
SHA-1 can be disabled through applying the NO-SHA1 policy module:
# update-crypto-policies --set DEFAULT:NO-SHA1
Note that this will not disable hmac-sha1 MAC algorithm. To disable hmac-sha1 the following custom module is also needed, something like this below:
# cat > /etc/crypto-policies/policies/modules/NO-HMAC-SHA1.pmod << EOF
mac = -HMAC-SHA1
EOF
# update-crypto-policies --set DEFAULT:NO-SHA1:NO-HMAC-SHA1
Disabling CBC
As of time of writing (Oct 2023), there is no standard policy module shipped to disable CBC.
In order to disable CBC ciphers, a custom policy module has to be written, as shown below:
# cat > /etc/crypto-policies/policies/modules/NO-CBC.pmod << EOF
cipher@ssh = -*-CBC
EOF
Note the '-' after the equal sign, which means to negate the cipher in question. In this example, the module limits itself to ssh, i.e. openssh-server (sshd), openssh-client (ssh/sftp) and libssh backends (used by curl in particular).
To apply the restriction to all services except Kerberos ([1]) on the system, you may be less specific and use the following instead:
cipher = -*-CBC
cipher@krb5 = +*-CBC
[1] Disabling CBC for all services will also disable CTS ciphers as used in Kerberos5 as per Content from www.rfc-editor.org is not included.RFC3962, hence the exception.
Once done, apply the new policy:
# update-crypto-policies --set DEFAULT:NO-CBC
Disabling multiple algorithms (for example, SHA-1 and CBC)
In the previous example, only one type of algorithm was disabled. To disable multiple algorithms, specify more policy modules on the command line, e.g.:
# update-crypto-policies --set DEFAULT:NO-SHA1:NO-CBC
Disabling other algorithms
In the CBC example, we used cipher@ssh token to specifically disable CBC for OpenSSH components only.
This @<token> suffix comes from the source code of the /usr/share/crypto-policies/python/cryptopolicies/cryptopolicies.py Python script used internally to generate the configuration snippets.
More values are possible, check the ALL_SCOPES variable in the content of the file for details, e.g.:
ALL_SCOPES = ( # defined explicitly to catch typos / globbing nothing
'tls', 'ssl', 'openssl', 'nss', 'gnutls', 'java-tls',
'ssh', 'openssh', 'openssh-server', 'openssh-client', 'libssh',
'ipsec', 'ike', 'libreswan',
'kerberos', 'krb5',
'dnssec', 'bind',
)
The list of available algorithms is defined in the source code of the /usr/share/crypto-policies/python/cryptopolicies/alg_lists.py Python script, see the various ALL_* sections in the file, e.g.:
ALL_CIPHERS = (
'AES-256-GCM', 'AES-256-CCM',
'AES-192-GCM', 'AES-192-CCM',
'AES-128-GCM', 'AES-128-CCM',
'CHACHA20-POLY1305',
'CAMELLIA-256-GCM', 'CAMELLIA-128-GCM',
'AES-256-CTR', 'AES-256-CBC',
'AES-192-CTR', 'AES-192-CBC',
'AES-128-CTR', 'AES-128-CBC',
'CAMELLIA-256-CBC', 'CAMELLIA-128-CBC',
'3DES-CBC', 'DES-CBC', 'RC4-40', 'RC4-128',
'DES40-CBC', 'RC2-CBC', 'IDEA-CBC', 'SEED-CBC',
'NULL',
)
ALL_MACS = (
'AEAD', 'UMAC-128', 'HMAC-SHA1', 'HMAC-SHA2-256',
'HMAC-SHA2-384', 'HMAC-SHA2-512', 'UMAC-64', 'HMAC-MD5',
)
[...]
So, for example, if you want to disable HMAC-SHA1 for SSH, an example module would be:
# cat > /etc/crypto-policies/policies/modules/NO-HMAC-SHA1.pmod << EOF
mac@ssh = -HMAC-SHA1
EOF
Disabling TLS1.2
# cat > /etc/crypto-policies/policies/modules/NO-TLS12.pmod << EOF
protocol@tls = -TLS1.2
EOF
Verifying modifications are applied (ssh)
To verify that the modification of the policy was taken into account, use the following command, assuming the modification also impacts sshd service:
# yum -y install nmap
# nmap --script ssh2-enum-algos -sV -p 22 127.0.0.1
-
Record the current state before applying the policy
# nmap --script ssh2-enum-algos -sV -p 22 127.0.0.1 > sshd.before -
Apply the new policy
For example:
# update-crypto-policies --set DEFAULT:NO-CBC -
Record the new state and compare the outputs:
# nmap --script ssh2-enum-algos -sV -p 22 127.0.0.1 > sshd.after # diff -u sshd.before sshd.after [...] PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.0 (protocol 2.0) @@ -25,14 +23,12 @@ | ssh-rsa | ecdsa-sha2-nistp256 | ssh-ed25519 -| encryption_algorithms: (7) +| encryption_algorithms: (5) | aes256-gcm@openssh.com | chacha20-poly1305@openssh.com | aes256-ctr -| aes256-cbc | aes128-gcm@openssh.com | aes128-ctr -| aes128-cbc | mac_algorithms: (8) | hmac-sha2-256-etm@openssh.com | hmac-sha1-etm@openssh.com
In the previous listing, the aes256-cbc and aes128-cbc are not in sshd.after output, confirming the changes were applied.
Verifying modifications are applied (https)
Similar to previous paragraph, it's possible to use nmap to report ciphers enabled for HTTPS:
# nmap --script=ssl-enum-ciphers -sV -p 443 127.0.0.1
Alternatively, you can scan the service using 3rd party project Content from github.com is not included.testssl.sh (WARNING: not endorsed by Red Hat in any mean).