{"description": "Crypto Policies are means of enforcing certain cryptographic settings for\nselected applications including OpenSSL. OpenSSL is by default configured to\nmodify its configuration based on currently configured Crypto Policy.\nEditing the Crypto Policy back-end is not recommended.\n\nCheck the crypto-policies(7) man page and choose a policy that configures TLS\nprotocol to version 1.2 or higher, for example DEFAULT, FUTURE or FIPS policy.\nOr create and apply a custom policy that restricts minimum TLS version to 1.2.\n\nFor example for versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch\nthis is expected:\n\n<pre>$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config\n\nMinProtocol = TLSv1.2\n</pre>\n\nOr for version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer this is\nexpected:\n\n<pre>$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config\n\nTLS.MinProtocol = TLSv1.2\nDTLS.MinProtocol = DTLSv1.2</pre>", "rationale": "Without cryptographic integrity protections, information can be altered by\nunauthorized users without detection.", "severity": "medium", "references": {"nist": ["AC-17(2)"], "srg": ["SRG-OS-000125-GPOS-00065", "SRG-OS-000250-GPOS-00093", "SRG-OS-000393-GPOS-00173", "SRG-OS-000394-GPOS-00174"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "cryptographic policy for openssl is not configured or is configured incorrectly", "ocil": "To verify if the OpenSSL uses defined TLS Crypto Policy, run:\n<pre>$ grep -P '^(TLS\\.)?MinProtocol' /etc/crypto-policies/back-ends/opensslcnf.config</pre>\nand verify that the value is\n<pre>TLSv1.2</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to use the <sub idref=\"var_system_crypto_policy\" /> crypto policy.\n\nRun the following command:\n\n<pre>$ sudo update-crypto-policies --set <sub idref=\"var_system_crypto_policy\" /></pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must use at minimum TLSv1.2 for TLS connections.", "warnings": [{"general": "This rule doesn't come with a remediation, automatically changing the crypto-policies may be too disruptive.\nEnsure the variable <tt>xccdf_org.ssgproject.content_value_var_system_crypto_policy</tt> is set to a\nCrypto Policy that satisfies OpenSSL minimum TLS protocol version 1.2. Custom policies may be applied too."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must implement DOD-approved TLS encryption in the OpenSSL package.", "vuldiscussion": "Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nThe employed algorithms can be viewed in the /etc/crypto-policies/back-ends/openssl.config file.", "checktext": "Verify that Ubuntu 22.04 OpenSSL library is configured to use TLS 1.2 encryption or stronger with following command:\n\n$ grep -i  minprotocol /etc/crypto-policies/back-ends/opensslcnf.config\n\nTLS.MinProtocol = TLSv1.2\nDTLS.MinProtocol = DTLSv1.2\n\nIf the \"TLS.MinProtocol\" is set to anything older than \"TLSv1.2\" or the \"DTLS.MinProtocol\" is set to anything older than \"DTLSv1.2\", this is a finding.", "fixtext": "Configure the Ubuntu 22.04 OpenSSL library to use only DOD-approved TLS encryption by editing the following line in the \"/etc/crypto-policies/back-ends/opensslcnf.config\" file:\n\nTLS.MinProtocol = TLSv1.2\nDTLS.MinProtocol = DTLSv1.2\n\nA reboot is required for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Configure OpenSSL library to use TLS Encryption", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml", "template": null}