Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-76526

openssl Ciphersuites are controlled by ciphers crypto-policy option alone

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • crypto-policies-20250128-1.git22421d3.el10
    • No
    • Low
    • 1
    • rhel-security-crypto
    • ssg_security
    • 26
    • 0.2
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25Q1
    • Bug Fix
    • Hide
      .OpenSSL cipher suites no longer enable cipher suites with disabled hashes or MACs

      Previously, applying custom cryptographic policies could leave certain TLS 1.3 cipher suites enabled even if their hashes or MACs were disabled, because the OpenSSL TLS 1.3-specific `Ciphersuites` option values were controlled only by the `ciphers` option of the cryptographic policy. With this update, `crypto-policies` takes more algorithms into account when deciding whether to enable a cipher suite. As a result, OpenSSL on systems with custom cryptographic policies might refuse to negotiate some of the previously enabled TLS 1.3 cipher suites in better accordance with the system configuration.
      Show
      .OpenSSL cipher suites no longer enable cipher suites with disabled hashes or MACs Previously, applying custom cryptographic policies could leave certain TLS 1.3 cipher suites enabled even if their hashes or MACs were disabled, because the OpenSSL TLS 1.3-specific `Ciphersuites` option values were controlled only by the `ciphers` option of the cryptographic policy. With this update, `crypto-policies` takes more algorithms into account when deciding whether to enable a cipher suite. As a result, OpenSSL on systems with custom cryptographic policies might refuse to negotiate some of the previously enabled TLS 1.3 cipher suites in better accordance with the system configuration.
    • Done
    • None

      Currently, openssl TLS 1.3 specific Ciphersuites option values
      are controlled by the ciphers crypto-policy option alone,
      without taking into account that security of a ciphersuite relies on use multiple algorithms,
      such as hash functions and MACs in addition to the ciphers,
      and distrusting them should distrust the entire ciphersuite as well.

      This ticket is a request to backport this functionality from Fedora
      (https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/222).

      The impact of the change on the existing policies should be next to nonexistent.
      Out of the policies we ship,
      FIPS:OSPP will have all Ciphersuites disabled due to OSPP subpolicy disabling TLS 1.3 altogether,
      the rest should see no change.

              asosedki@redhat.com Alexander Sosedkin
              asosedki@redhat.com Alexander Sosedkin
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: