Bug 2196856

Summary: [RFE] Add the ability to change crypto-policies for a single service
Product: Red Hat Enterprise Linux 9 Reporter: Juan Manuel Santos <jsantos>
Component: crypto-policiesAssignee: Alexander Sosedkin <asosedki>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.3CC: bdm, rmetrich
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 14:51:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Juan Manuel Santos 2023-05-10 14:36:18 UTC 
Description of problem:
Since the introduction of crypto-policies, we can easily change the entire system's crypto configuration. However, changing a single service's configuration is still complicated.

For example, changing sshd's crypto policy requires not just having a custom crypto backend for opensshserver, but also additional modifications in the openssl backend, as well as a systemd drop-in to use the custom configuration (see: https://access.redhat.com/solutions/7012231).

Furthermore, our product documentation does not mention this (e.g. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#examples-of-opting-out-of-system-wide-crypto-policies_using-the-system-wide-cryptographic-policies)

Version-Release number of selected component (if applicable):
crypto-policies-20220815-1.git0fbe86f.el9

How reproducible:
Every time

Steps to Reproduce:
1. Apply a custom crypto policy to a service by creating a backend file in /etc/crypto-policies/back-ends
2. Point the service configuration to the new backend.

Actual results:
Depending on the service, additional steps are needed (e.g. a custom OpenSSL backend + systemd drop-in file in the case of sshd)

Expected results:
As easy as it is to change the crypto policy for the entire system, it should also be possible to set it on a per-application basis (as long as the application is known to crypto-policies).

Additional info:
This issue was brought up in a recent case where a customer needed a RHEL 6 client to connect to a RHEL 9 SSH server. Setting DEFAULT:SHA1 as the system-wide crypto policy worked, but the customer did not want the entire system to accept SHA1, just SSH.