Configure OpenSSL library to use System Crypto Policy
Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
available under /etc/pki/tls/openssl.cnf
.
This file has the ini
format, and it enables crypto policy support
if there is a [ crypto_policy ]
section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config
directive.
Rationale
Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented.
Shell script
The following script can be run on the host to remediate the issue.
OPENSSL\_CRYPTO\_POLICY\_SECTION='[ crypto\_policy ]'
OPENSSL\_CRYPTO\_POLICY\_SECTION\_REGEX='\[\s\*crypto\_policy\s\*\]'
OPENSSL\_CRYPTO\_POLICY\_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config'
OPENSSL\_CRYPTO\_POLICY\_INCLUSION\_REGEX='^\s\*\.include\s\*(?:=\s\*)?/etc/crypto-policies/back-ends/opensslcnf.config$'
function remediate\_openssl\_crypto\_policy() {
CONFIG\_FILE=/etc/pki/tls/openssl.cnf
if test -f "$CONFIG\_FILE"; then
if ! grep -q "^\\s\*$OPENSSL\_CRYPTO\_POLICY\_SECTION\_REGEX" "$CONFIG\_FILE"; then
printf '\n%s\n\n%s' "$OPENSSL\_CRYPTO\_POLICY\_SECTION" "$OPENSSL\_CRYPTO\_POLICY\_INCLUSION" >> "$CONFIG\_FILE"
return 0
elif ! grep -q "^\\s\*$OPENSSL\_CRYPTO\_POLICY\_INCLUSION\_REGEX" "$CONFIG\_FILE"; then
sed -i "s|$OPENSSL\_CRYPTO\_POLICY\_SECTION\_REGEX|&\\n\\n$OPENSSL\_CRYPTO\_POLICY\_INCLUSION\\n|" "$CONFIG\_FILE"
return 0
fi
else
echo "Aborting remediation as '$CONFIG\_FILE' was not even found." >&2
return 1
fi
}
remediate\_openssl\_crypto\_policy
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Test for crypto\_policy group
command: grep '^\s\*\[\s\*crypto\_policy\s\*]' /etc/pki/tls/openssl.cnf
register: test\_crypto\_policy\_group
ignore\_errors: true
changed\_when: false
check\_mode: false
tags:
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- configure\_openssl\_crypto\_policy
- low\_complexity
- medium\_disruption
- medium\_severity
- no\_reboot\_needed
- unknown\_strategy
- name: Add .include for opensslcnf.config to crypto\_policy section
lineinfile:
create: true
insertafter: ^\s\*\[\s\*crypto\_policy\s\*]\s\*
line: .include = /etc/crypto-policies/back-ends/opensslcnf.config
path: /etc/pki/tls/openssl.cnf
when:
- test\_crypto\_policy\_group.stdout is defined
- test\_crypto\_policy\_group.stdout | length > 0
tags:
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- configure\_openssl\_crypto\_policy
- low\_complexity
- medium\_disruption
- medium\_severity
- no\_reboot\_needed
- unknown\_strategy
- name: Add crypto\_policy group and set include opensslcnf.config
lineinfile:
create: true
line: |-
[crypto\_policy]
.include = /etc/crypto-policies/back-ends/opensslcnf.config
path: /etc/pki/tls/openssl.cnf
when:
- test\_crypto\_policy\_group.stdout is defined
- test\_crypto\_policy\_group.stdout | length < 1
tags:
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-MA-4(6)
- NIST-800-53-SC-12(2)
- NIST-800-53-SC-12(3)
- NIST-800-53-SC-13
- PCI-DSS-Req-2.2
- configure\_openssl\_crypto\_policy
- low\_complexity
- medium\_disruption
- medium\_severity
- no\_reboot\_needed
- unknown\_strategy