Configuring the Crypto Policy for Disabling CBC and SHA-1 Hash¶

1. Run the following command to check the crypto policy that is currently in use in the Rocky Linux 8/RHEL 8 VM. If it is set to DEFAULT (default value is DEFAULT) or any other policy, copy it to the following location: /etc/crypto-policies/policies/modules/.

2. Remove the CBC ciphers:

   update-crypto-policies --show
   
   sudo cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
   
   sudo sed --in-place 's/CAMELLIA-256-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
   
   sudo sed --in-place 's/AES-256-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
   
   sudo sed --in-place 's/CAMELLIA-128-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
   
   sudo sed --in-place 's/AES-128-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
   

3. Disable SHA-1:

   1. Run the following command:
      ``sudo cp /usr/share/crypto-policies/policies/modules/NO-SHA1.pmod /etc/crypto-policies/poli

   2. Set the DISABLE-CBC and NO-SHA1 policies and run the following command to restart the VM.

      sudo update-crypto-policies --set DEFAULT:DISABLE-CBC:NO-SHA1
      
      sudo init 6
      

   3. After the VM is restarted, run the following command to check the updated cryptographic policies. sudo update-crypto-policies --show