RHEL 8 makes it easy to enforce a strong and consistent cryptographic policy on your systems.
In the following exercises we’ll use the new commands for managing your crypto configurations and test them.
Show the current crypto policy.
You should see something like …
DEFAULT is one of the four crypto policies, along with LEGACY, FIPS 140, and FUTURE. You may view the details of these policies in the man page.
To see the effect of the DEFAULT policy, try pasting in this command:
openssl s_client --connect tls-v1-1.badssl.com:1011
You can see from the 2nd line of output that it cannot make a TLS connection to that site, and reports "unsupported protocol".
Now let’s change the default crypto policy from DEFAULT to something less secure, just for testing purposes. We’ll set the crypto policy to LEGACY to temporarily allow insecure TLS 1.1 communication from our system.
Change the crypto policy to LEGACY.
sudo update-crypto-policies --set LEGACY
And now let’s test communication to the same site; now it connects, and reports TLS v1.1:
timeout 3 openssl s_client --connect tls-v1-1.badssl.com:1011 | grep Protocol