Bug 1841943
| Summary: | Man page for update-crypto-policies is incorrect with regards to Openjdk | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Chris Dolphy <cdolphy> |
| Component: | crypto-policies | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.2 | CC: | nmavrogi, omoris |
| Target Milestone: | rc | Keywords: | ManPageChange, Triaged |
| Target Release: | 8.3 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | crypto-policies-20200610-1.git0ac8b1f.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 01:58:45 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This was already fixed in 8.3 build by the upstream rebase. Chris, man page was corrected as follows: Applications using Java: No special treatment is required. Applications using Java will load the crypto policies by default. These applications will then inherit the settings for allowed cipher suites, allowed TLS and DTLS protocol versions, allowed elliptic curves, and limits for cryptographic keys. To prevent openjdk applications from adhering to the policy the <java.home>/jre/lib/security/java.security file should be edited to contain security.useSystemPropertiesFile=false. Alternatively one can create a file containing the overridden values for jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms and pass the location of that file to Java on the command line using the -Djava.security.properties=<path to file>. Is that okay for you? Oh, I misread the description. The fix is not there yet. Successfully verified.
# man update-crypto-policies
...
. Applications using Java: No special treatment is required. Applications using Java will
load the crypto policies by default. These applications will then inherit the settings
for allowed cipher suites, allowed TLS and DTLS protocol versions, allowed elliptic curves,
and limits for cryptographic keys. To prevent openjdk applications from adhering to the
policy the <java.home>/jre/lib/security/java.security file should be edited to contain
security.useSystemPropertiesFile=false or the system property
java.security.disableSystemPropertiesFile be set to true. Note that the system property
java.security.properties is loaded with a lower preference than the crypto policies, so
you can’t use this property to override crypto policies without also preventing openjdk
applications from adhering to the policy.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (crypto-policies bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4536 |
Description of problem: Man page for update-crypto-policies is incorrect with regards to Openjdk The man page in the openjdk section says: Alternatively one can create a file containing the overridden values for jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms and pass the location of that file to Java on the command line using the -Djava.security.properties=<path to file>. But in fact this will not work because the crypto policies always takes precedence as it's loaded last. However, there is another way to disable the crypto policies. you can set the system property "java.security.disableSystemPropertiesFile" to true. So my suggestion is change the man page to say: · Applications using Java: No special treatment is required. Applications using Java will load the crypto policies by default. These applications will then inherit the settings for allowed cipher suites, allowed TLS and DTLS protocol versions, allowed elliptic curves, and limits for cryptographic keys. To prevent openjdk applications from adhering to the policy the <java.home>/jre/lib/security/java.security file should be edited to contain security.useSystemPropertiesFile=false or the system property java.security.disableSystemPropertiesFile to "true". Note that the system property java.security.properties is loaded with a lower preference than the crypto policies, so you can't use this property to override crypto policies without also preventing openjdk applications from adhering to the policy. Version-Release number of selected component (if applicable): RHEL 8.2 How reproducible: very Steps to Reproduce: 1. man update-crypto-policies 2. get wrong info! Actual results: Expected results: Additional info: