Description of problem: After install openssl-gost-engine gost algorithms not show in list Version-Release number of selected component (if applicable): crypto-policies-20200619-1.git781bbd4.fc32.noarch crypto-policies-scripts-20200619-1.git781bbd4.fc32.noarch openssl-gost-engine-1.1.0.3-6.fc32.x86_64 How reproducible: install and configure openssl gost engine Steps to Reproduce: 1. dnf install openssl-gost-engine 2. enable engine in /etc/pki/tls/openssl.cnf add after ssl_conf = ssl_module engines = custom_engines [ custom_engines ] gost = gost_module [ gost_module ] engine_id = gost default_algorithms = ALL CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet 3. check openssl engine openssl engine (dynamic) Dynamic engine loading support (gost) Reference implementation of GOST engine Actual results: Try enable GOST policy module update-crypto-policies --set DEFAULT:GOST Bad value of policy property: mac - unknown list item 'HMAC-GOST' Bad value of policy property: group - unknown list item 'GOST-EC' Bad value of policy property: hash - unknown list item 'GOSTHASH' Bad value of policy property: sign - unknown list item 'GOST-EC-GOSTHASH' Bad value of policy property: tls_cipher - unknown list item 'GOST-CIPHER' Bad value of policy property: cipher - unknown list item 'GOST-CIPHER' Bad value of policy property: key_exchange - unknown list item 'GOST-EC' Errors found in policy Get ciphers from openssl openssl ciphers|tr ':' '\n'|grep GOST Expected results: openssl ciphers|tr ':' '\n'|grep GOST GOST2012-GOST8912-GOST8912 GOST2001-GOST89-GOST89 this from ubuntu where i install same packages. Additional info: I try found where is defined this items, but not found anything.
I believe this works as expected with the introduction of https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/d99e0afa5399747143c40803f20846428d44600a, which is already available in available in Fedora 33's 20200918-1.git85dccc5.
Just to clarify - yes, Fedora 32 does not support GOST in crypto-policies properly. The fixes are only in Fedora 33.
Yep. I updated crypto-policy from commit and now update-crypto-policies --set DEFAULT:GOST Setting system policy to DEFAULT:GOST Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. openssl ciphers -v | grep GOST GOST2012-GOST8912-GOST8912 TLSv1 Kx=GOST Au=GOST12 Enc=GOST89(256) Mac=GOST89 GOST2001-GOST89-GOST89 TLSv1 Kx=GOST Au=GOST01 Enc=GOST89(256) Mac=GOST89 And it now worked. Thanks.
Please understand that taking the crypto-policies from different release and applying it might break many things. So you're at your own risk with this. :) I'd recommend upgrading to Fedora 33.
(In reply to Tomas Mraz from comment #4) > Please understand that taking the crypto-policies from different release and > applying it might break many things. So you're at your own risk with this. > :) I'd recommend upgrading to Fedora 33. Yes i know. It just fast fix. Later i'm upgrade my system to 33 release.
Pleased to hear that it has resolved your issue! By the way, when updating to the current Fedora 33 version of crypto-policies (be it a full system update or your venturous package mix-and-matching), please mind the other significant changes introduced since Fedora 32, especially the hardening described in https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2. If it turns out that you need to reenable algorithms deprecated between Fedora 32 and Fedora 33, consider DEFAULT:FEDORA32:GOST.