Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-2734

RFE: Make it easier to configure LEGACY policy per service or per host

Details

    • Watchers
    • Minor
    • sst_security_crypto
    • ssg_security
    • False
    • Hide

      None

      Show
      None
    • Unspecified
    • If docs needed, set a value
    • Unspecified

    Description

      Description of problem:

      At the moment if you want to (eg) ssh to a particular host that
      uses legacy crypto, or upgrade RPM packages which use SHA1 signatures,
      or connect to an old HTTPS server with Firefox, then the easiest
      way to describe this to a customer is to use the big hammer:

      1. update-crypto-policies --set LEGACY

      This of course downgrades security for the whole system.

      The alternative is to use service-specific voodoo. eg. the
      right way to do this for ssh to a host happens to be:

      .ssh/config —
      Host old-host
      KexAlgorithms diffie-hellman-group1-sha1

      (Actually I'm not sure that is true, I have read differing advice
      on this. Even if this works now, will it continue to work in future?)

      This bug is a request that somehow we make this easier.

      Version-Release number of selected component (if applicable):

      crypto-policies-20220223-1.git5203b41.el9.noarch

      Attachments

        Activity

          People

            asosedki@redhat.com Alexander Sosedkin
            rhn-eng-rjones Richard Jones
            Alexander Sosedkin Alexander Sosedkin
            SSG Security QE SSG Security QE
            Votes:
            0 Vote for this issue
            Watchers:
            14 Start watching this issue

            Dates

              Created:
              Updated: