Skip to content

Harden OpenSSL Crypto Policy

An XCCDF Rule

Description

Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. OpenSSL is by default configured to modify its configuration based on currently configured Crypto Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL and leave rest of the Crypto Policy intact. This can be done by dropping a file named opensslcnf-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied. Changes are propagated into /etc/crypto-policies/back-ends/opensslcnf.config. This rule checks if this file contains predefined Ciphersuites variable configured with predefined value.

Rationale

The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.

ID
xccdf_org.ssgproject.content_rule_harden_openssl_crypto_policy
Severity
Medium
References
Updated