Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-71132

[RFE] get rid of checking /etc/crypto-policies/back-ends/openssl.config

XMLWordPrintable

    • openssl-3.2.2-15.el10
    • No
    • Low
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 29
    • 1
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Crypto25Q1
    • Hide

      AC1) The SYSTEM_CIPHERS_FILE_DEFINE variable is set to /etc/crypto-policies/back-ends/opensslcnf.config instead of /etc/crypto-policies/back-ends/openssl.config (from "openssl version -a" command)
      AC2) The CipherString from /etc/crypto-policies/back-ends/opensslcnf.config is used as the system default
      AC3) When there is PROFILE=SYSTEM in CipherString in config it should use the ciphers from /etc/crypto-policies/back-ends/opensslcnf.config otherwise use only the ciphers from the config.
      AC4 optional) /etc/crypto-policies/back-ends/openssl.config is not present/generated.

      Show
      AC1) The SYSTEM_CIPHERS_FILE_DEFINE variable is set to /etc/crypto-policies/back-ends/opensslcnf.config instead of /etc/crypto-policies/back-ends/openssl.config (from "openssl version -a" command) AC2) The CipherString from /etc/crypto-policies/back-ends/opensslcnf.config is used as the system default AC3) When there is PROFILE=SYSTEM in CipherString in config it should use the ciphers from /etc/crypto-policies/back-ends/opensslcnf.config otherwise use only the ciphers from the config. AC4 optional) /etc/crypto-policies/back-ends/openssl.config is not present/generated.
    • Pass
    • Not Needed
    • Automated
    • Unspecified Release Note Type - Unknown
    • None

      RHEL OpenSSL carries a downstream patch:
      https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/8b5d84e94572646637f5c47973a378e226fe937d/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
      which makes it check /etc/crypto-policies/back-ends/openssl.config when PROFILE=SYSTEM, overrideable with OPENSSL_SYSTEM_CIPHERS_OVERRIDE.
      At the same time, the superset of the exact same information is available from OPENSSL_CONF=/etc/ssl/openssl.cnf including /etc/crypto-policies/back-ends/opensslcnf.config, crypto-policies generate both from the same data.

      In order to reduce the amount of moving parts and simplify the overriding history, I propose removing /etc/crypto-policies/back-ends/openssl.config and the downstream patch in RHEL-11/ELN.

      What do you try to do: override crypto-policies
      What do you do: set OPENSSL_CONF to a hand-crafted config
      What do you observe: openssl still follows crypto-policies unless OPENSSL_SYSTEM_CIPHERS_OVERRIDE is also employed
      What do you want to observe: openssl stops following crypto-policies altogether when OPENSSL_CONF no longer includes crypto-policies.

              dbelyavs@redhat.com Dmitry Belyavskiy
              asosedki@redhat.com Alexander Sosedkin
              Dmitry Belyavskiy Dmitry Belyavskiy
              George Pantelakis George Pantelakis
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: