Configure Crypto Policy to Disable CBC and sha1 hash¶
-
Run the following command to check the crypto policy which is currently in use in the Rocky Linux 8/RHEL 8 VM. If it's set to DEFAULT (By default, it's set to DEFAULT) or any other policy, copy it to the following location: /etc/crypto-policies/policies/modules/. Then follow the below steps to remove the CBC ciphers:
update-crypto-policies --show sudo cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod sudo sed --in-place 's/CAMELLIA-256-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod sudo sed --in-place 's/AES-256-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod sudo sed --in-place 's/CAMELLIA-128-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod sudo sed --in-place 's/AES-128-CBC//' /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod
-
To disable sha1, follow the below steps:
-
Run the below command:
sudo cp /usr/share/crypto-policies/policies/modules/NO-SHA1.pmod /etc/crypto-policies/policies/modules/NO-SHA1.pmod
-
Set the DISABLE-CBC and NO-SHA1 policies and run the following command to restart the VM.
sudo update-crypto-policies --set DEFAULT:DISABLE-CBC:NO-SHA1 sudo init 6
-
After the VM is restarted, run the following command to check the updated cryptographic policies.
sudo update-crypto-policies --show
-