Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-2734

RFE: Make it easier to configure LEGACY policy per service or per host

    • Minor
    • sst_security_crypto
    • ssg_security
    • None
    • False
    • Hide


    • None
    • If docs needed, set a value
    • None

      Description of problem:

      At the moment if you want to (eg) ssh to a particular host that
      uses legacy crypto, or upgrade RPM packages which use SHA1 signatures,
      or connect to an old HTTPS server with Firefox, then the easiest
      way to describe this to a customer is to use the big hammer:

      1. update-crypto-policies --set LEGACY

      This of course downgrades security for the whole system.

      The alternative is to use service-specific voodoo. eg. the
      right way to do this for ssh to a host happens to be:

      .ssh/config —
      Host old-host
      KexAlgorithms diffie-hellman-group1-sha1

      (Actually I'm not sure that is true, I have read differing advice
      on this. Even if this works now, will it continue to work in future?)

      This bug is a request that somehow we make this easier.

      Version-Release number of selected component (if applicable):


            asosedki@redhat.com Alexander Sosedkin
            rhn-eng-rjones Richard Jones
            Alexander Sosedkin Alexander Sosedkin
            SSG Security QE SSG Security QE
            0 Vote for this issue
            16 Start watching this issue