Configure OpenSSL library to use System Crypto Policy

An XCCDF Rule

Description

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under /etc/pki/tls/openssl.cnf. This file has the ini format, and it enables crypto policy support if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive.

Rationale

Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented.

ID: xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
Severity: Medium
References: CCI-001453

CIP-003-8 R4.2 CIP-007-3 R5.1 CIP-007-3 R7.1

AC-17(2) AC-17(a) CM-6(a) MA-4(6) SC-12(2) SC-12(3) SC-13

Req-2.2

SRG-OS-000250-GPOS-00093

CCE-82545-5
Updated: about 1 year ago