Bug 2090004

Summary: [RFE] Add functionality to update-crypto-policies to show effective configuration
Product: Red Hat Enterprise Linux 8 Reporter: jcalhoun
Component: crypto-policiesAssignee: Alexander Sosedkin <asosedki>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.6Keywords: FutureFeature
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-25 08:57:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 2 Alexander Sosedkin 2022-05-25 08:57:10 UTC 
crypto-policies doesn't deal in TLS ciphersuites,
as no library configuration mechanisms it uses deals in ciphersuites
(which would've been awesome, frankly).
crypto-policies deals, approximately, in algorithms lists,
combinations of which then comprise available ciphersuites.

If one wants to verify crypto-policies configuration in crypto-policies terms
after setting a custom policy, manually inspecting /etc/crypto-policies/state/CURRENT.pol
and /etc/crypto-policies/backends/* is the closest they can get.

If one wants to verify the effective list of ciphersuites supported by openssl, gnutls or nss,
one would have to test separately against openssl, gnutls or nss.
The results will differ slightly across them because of the library implementation details,
and are also subject to change with the library updates
so trying to guesstimate them would be error-prone.

The sanemost way to verify the effective configuration is, indeed,
probing all the backends you're interested in the way the customer does now.