Skip to content

Use default order in configure_gnutls_tls_crypto_policy #13692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mab879 merged 1 commit into from
Jul 18, 2025
Merged

Use default order in configure_gnutls_tls_crypto_policy #13692

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions ...de/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
- name: "{{{ rule_title }}}: set_fact"
set_fact:
path: /etc/crypto-policies/back-ends/gnutls.config
correct_value: '+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0'
lineinfile_reg: \+VERS-ALL:-VERS-DTLS0\.9:-VERS-SSL3\.0:-VERS-TLS1\.0:-VERS-TLS1\.1:-VERS-DTLS1\.0
correct_value: '+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0'
lineinfile_reg: \+VERS-ALL:-VERS-DTLS0\.9:-VERS-TLS1\.1:-VERS-TLS1\.0:-VERS-SSL3\.0:-VERS-DTLS1\.0

- name: "{{{ rule_title }}}: stat"
stat:
Expand Down
2 changes: 1 addition & 1 deletion .../guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/bash/shared.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
# disruption = low

CONF_FILE=/etc/crypto-policies/back-ends/gnutls.config
correct_value='+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0'
correct_value='+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0'

grep -q ${correct_value} ${CONF_FILE}

Expand Down
4 changes: 2 additions & 2 deletions ...guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/oval/shared.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{%- set regex = "\+VERS-ALL:-VERS-DTLS0\.9:-VERS-SSL3\.0:-VERS-TLS1\.0:-VERS-TLS1\.1:-VERS-DTLS1\.0" -%}}
{{%- set TEXT = "+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" -%}}
{{%- set regex = "\+VERS-ALL:-VERS-DTLS0\.9:-VERS-TLS1\.1:-VERS-TLS1\.0:-VERS-SSL3\.0:-VERS-DTLS1\.0" -%}}
{{%- set TEXT = "+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0" -%}}
{{%- set PATH = "/etc/crypto-policies/back-ends/gnutls.config" -%}}
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
Expand Down
8 changes: 5 additions & 3 deletions linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,9 @@ description: |-
To check that Crypto Policies settings are configured correctly, ensure that
<tt>/etc/crypto-policies/back-ends/gnutls.config</tt> contains the following
line and is not commented out:
<tt>+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0</tt>
<tt>+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0</tt>

These keywords are order-independent, so the line can be in any order. GnuTLS will then prefer the highest version.

rationale: |-
Overriding the system crypto policy makes the behavior of the GnuTLS
Expand All @@ -34,13 +36,13 @@ ocil_clause: 'cryptographic policy for gnutls is not configured or is configured
ocil: |-
To verify if GnuTLS uses defined DoD-approved TLS Crypto Policy, run:
<pre>$ sudo grep
'+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0'
'+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0'
/etc/crypto-policies/back-ends/gnutls.config</pre> and verify that a match exists.

fixtext: |-
Configure the {{{ full_name }}} GnuTLS library to use only DoD-approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config":

+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0
+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0

A reboot is required for the changes to take effect.

Expand Down
2 changes: 1 addition & 1 deletion ...system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/tests/correct.pass.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@

configfile=/etc/crypto-policies/back-ends/gnutls.config

echo 'SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM' > "$configfile"
echo 'SYSTEM=NONE:+MAC-ALL:-MD5:+GROUP-ALL:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+SIGN-RSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+CIPHER-ALL:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-128:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM' > "$configfile"
Loading