{"description": "Crypto Policies provide a centralized control over crypto algorithms usage of many packages.\nGnuTLS is supported by system crypto policy, but the GnuTLS configuration may be\nset up to ignore it.\n\nTo check that Crypto Policies settings are configured correctly, ensure that\n<tt>/etc/crypto-policies/back-ends/gnutls.config</tt> contains the following\nline and is not commented out:\n<tt>+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0</tt>\n\nThese keywords are order-independent, so the line can be in any order. GnuTLS will then prefer the highest version.", "rationale": "Overriding the system crypto policy makes the behavior of the GnuTLS\nlibrary violate expectations, and makes system configuration more\nfragmented.", "severity": "medium", "references": {"nist": ["AC-17(2)"], "srg": ["SRG-OS-000250-GPOS-00093", "SRG-OS-000423-GPOS-00187"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "cryptographic policy for gnutls is not configured or is configured incorrectly", "ocil": "To verify if GnuTLS uses defined DoD-approved TLS Crypto Policy, run:\n<pre>$ sudo grep\n'+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0'\n/etc/crypto-policies/back-ends/gnutls.config</pre> and verify that a match exists.", "oval_external_content": null, "fixtext": "Configure the Ubuntu 22.04 GnuTLS library to use only DoD-approved encryption by adding the following line to \"/etc/crypto-policies/back-ends/gnutls.config\":\n\n+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0\n\nA reboot is required for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must implement DoD-approved TLS encryption in the GnuTLS package.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Configure GnuTLS library to use DoD-approved TLS Encryption", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml", "template": null}