Exercise 1.5 - Managing Cryptographic Policies

Return to Workshop

Exercise Description

RHEL 8 makes it easy to enforce a strong and consistent cryptographic policy on your systems.

In the following exercises we’ll use the new commands for managing your crypto configurations and test them.

Section 1: Viewing and changing the crypto policy

Show the current crypto policy.

update-crypto-policies --show

You should see something like …​

DEFAULT

DEFAULT is one of the four crypto policies, along with LEGACY, FIPS 140, and FUTURE. You may view the details of these policies in the man page.

man crypto-policies

To see the effect of the DEFAULT policy, try pasting in this command:

openssl s_client --connect tls-v1-1.badssl.com:1011

You can see from the 2nd line of output that it cannot make a TLS connection to that site, and reports "unsupported protocol".

Now let’s change the default crypto policy from DEFAULT to something less secure, just for testing purposes. We’ll set the crypto policy to LEGACY to temporarily allow insecure TLS 1.1 communication from our system.

Change the crypto policy to LEGACY.

sudo update-crypto-policies --set LEGACY

And now let’s test communication to the same site; now it connects, and reports TLS v1.1:

timeout 3 openssl s_client --connect tls-v1-1.badssl.com:1011 | grep Protocol

Workshop Details

Domain Red Hat Logo
Workshop
Student ID

Return to Workshop