Skip to content

Configure Crypto Policy to Disable CBC and sha1 hash

  1. Run the following command to check the crypto policy which is currently in use in the Rocky Linux 8/RHEL 8 VM. If it's set to DEFAULT (By default, it's set to DEFAULT) or any other policy, copy it to the following location: /etc/crypto-policies/policies/modules/. Then follow the below steps to remove the CBC ciphers:

    update-crypto-policies --show
    
    sudo cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
    
    sudo sed --in-place 's/CAMELLIA-256-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
    
    sudo sed --in-place 's/AES-256-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
    
    sudo sed --in-place 's/CAMELLIA-128-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
    
    sudo sed --in-place 's/AES-128-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
    
  2. To disable sha1, follow the below steps:

    1. Run the below command:
      sudo cp /usr/share/crypto-policies/policies/modules/NO-SHA1.pmod /etc/crypto-policies/policies/modules/NO-SHA1.pmod

    2. Set the DISABLE-CBC and NO-SHA1 policies and run the following command to restart the VM.

      sudo update-crypto-policies --set DEFAULT:DISABLE-CBC:NO-SHA1
      
      sudo init 6
      

    3. After the VM is restarted, run the following command to check the updated cryptographic policies. sudo update-crypto-policies --show