| .. | ||
| NEWS | ||
| README.md | ||
This repository contains the crypto-policies data and scripts used in Fedora.
| Release | Status |
|---|---|
| master | |
| F26 | |
| F27 | |
| F28 |
Purpose
The purpose is to unify the crypto policies used by different applications and libraries. That is allow setting a consistent security level for crypto on all applications in a Fedora system, irrespective of the crypto library in use.
Description
The idea is to have few predefined security policies such as LEGACY, DEFAULT and FUTURE which are set system-wide by the administrator. Then applications that have no special needs will follow these policies by default. That way the management of the various crypto applications and libraries used in a system simplifies significantly.
The current implementations works by setting the desired policy in /etc/crypto-policies/config. After this file is changed the script 'update-crypto-policies' should be executed, and the new policies will activate.
The supported back ends in Fedora are:
- GnuTLS
- OpenSSL
- NSS
- BIND
- libkrb5
- OpenSSH
- Java via OpenJDK
The documentation of crypto policies is at update-crypto-policies.8.txt.
Generating the policies
The policies are described in PERL at back-ends/profiles/POLICYFILE.pl,
and they operate on strings defined in back-ends/profiles/common.pm.
Individual application configuration generators are present in back-ends/.
To generate the policies per application use the script ./generate-policies.pl DESTDIR or make install.
For testing purpose the generated policies per application with the current
config are placed in tests/outputs and make check will verify whether the
generated policies match the stored. To reset the outputs use make reset-outputs and make check to regenerate them.