Exercise 1.5 - Managing Cryptographic Policies

Return to Workshop

Exercise Description

RHEL 8 makes it easy to enforce a strong and consistent cryptographic policy on your systems.

In the following exercises we’ll use the new commands for managing your crypto configurations and test them. We will be using the web site badssl.com to test connections using different versions of relevant protocols, such as TLS.

Section 1: Viewing and changing the crypto policy

Show the current crypto policy.

update-crypto-policies --show

You should see something like …​

DEFAULT

DEFAULT is one of the four crypto policies, along with LEGACY, FIPS 140, and FUTURE. You may view the details of these policies in the man page.

man crypto-policies

The system-wide crypto policies functionality is new to RHEL 8. It is part of Red Hat’s efforts to further reduce the attack surface of your RHEL systems and the applications you build on them.

To see the effect of the DEFAULT policy, try pasting in this command:

openssl s_client --connect tls-v1-1.badssl.com:1011

You can see from the 2nd line of output that it cannot make a TLS connection to that site, and reports "unsupported protocol".

Now let’s change the default crypto policy from DEFAULT to something less secure, just for testing purposes. We’ll set the crypto policy to LEGACY to temporarily allow insecure TLS 1.1 communication from our system.

Change the crypto policy to LEGACY.

sudo update-crypto-policies --set LEGACY

Note: You may see a warning requesting a reboot for the policy change to fully take place, but this is not necessary for this exercise.

Let’s test communication to the same site; It should connect successfully, and report TLS v1.1:

timeout 3 openssl s_client --connect tls-v1-1.badssl.com:1011 | grep Protocol

Workshop Details

Domain Red Hat Logo
Workshop
Student ID

Return to Workshop