This package provides a tool update-crypto-policies, which applies
the policies provided by the crypto-policies package. These can be
either the pre-built policies from the base package or custom policies
defined in simple policy definition files.
Provides
Requires
License
LGPL-2.1-or-later
Changelog
* Fri Jan 16 2026 Fedora Release Engineering <releng@fedoraproject.org> - 20251128-3.git19878fe
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Jan 16 2026 Fedora Release Engineering <releng@fedoraproject.org> - 20251128-2.git19878fe
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Nov 28 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20251128-1.git19878fe
- openssl: allow disabling all TLS / DTLS protocols
- gnutls: do enabled-curve for hybrids with said curve
- nss: enable ML-DSA
* Tue Nov 25 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20251125-1.gitd04d331
- sequoia: register "eddsa" as an alias to EDDSA-ED25519
- sequoia: revert "Do not include EdDSA in FIPS policy"
- openssl: let TLS 1.3 brainpool groups get used for key shares
- openssh: support mlkem768nistp256-sha256 and mlkem1024nistp384-sha384
* Fri Sep 19 2025 Python Maint <python-maint@redhat.com> - 20250714-5.gitcd6043a
- Rebuilt for Python 3.14.0rc3 bytecode
* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 20250714-4.gitcd6043a
- Rebuilt for Python 3.14.0rc2 bytecode
* Tue Jul 29 2025 jiri vanek <jvanek@redhat.com> - 20250714-3.gitcd6043a
- Rebuilt for java-25-openjdk as preffered jdk
* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 20250714-2.gitcd6043a
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Mon Jul 14 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250714-1.gitcd6043a
- FIPS: disable MLKEM768-X25519 for openssh (no-op)
- python, policies, tests: alias X25519-MLKEM768 to MLKEM768-X25519
- gnutls: enable ML-DSA, for both secure-sig and secure-sig-for-cert
* Fri Jun 20 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250620-1.git9496ef7
- sequoia: Add PQC algorithms
- sequoia: Do not include EdDSA in FIPS policy
- sequoia: Generate AEAD policy
- FIPS: deprioritize X25519-MLKEM768 over P256-MLKEM768 for openssl
- openssl: send one PQ and one classic key_share; prioritize PQ groups
- TEST-PQ: be more careful with the ordering
* Tue Jun 03 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250603-1.git3a584b3
- Revert "openssl, policies: implement group_key_share option"
* Mon Jun 02 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250602-1.git9a48d06
- NO-PQ, cryptopolicies: add experimental value suppression
- openssl: fix mistakes in integrity-only cipher definitions
- FIPS: enable hybrid ML-KEM (TLS only) and pure ML-DSA
- openssl, policies: implement group_key_share option
* Thu Apr 17 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250402-2.git86c0178
- Remove a build dependency on oqsprovider now when we require openssl 3.5
* Wed Apr 02 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250402-1.git86c0178
- policies, alg_lists, openssl: remove KYBER from allowed values
- sequoia, rpm-sequoia: use ignore_invalid with sha3, x25519, ...
* Mon Mar 24 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250324-1.git3714354
- sequoia: add sha3, x25519, ed25519, x448, ed448, but not for rpm-sequoia
- _openssl_block_sha1_signatures: flip the default to 1
- FEDORA40: drop this lag-behind policy, migrating users to FEDORA42
- TEST-FEDORA41: drop as it never happenend, migrating users to DEFAULT
- FEDORA42: introduce at the pre-update DEFAULT values
- FEDORA43: introduce at the post-update DEFAULT values
- LEGACY, DEFAULT, FUTURE: enable ML-KEM and ML-DSA
* Thu Mar 13 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250305-3.gita35b0fa
- Add a build dependency on oqsprovider as openssh config check is now fussy
* Thu Mar 13 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250305-2.gita35b0fa
- Remove openssl.config from %files (bz2351864)
- Bump openssl dependency even higher for more openssl.config fixes (bz2351864)
* Wed Mar 05 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250305-1.gita35b0fa
- gnutls: support P384-MLKEM1024
- openssl: specify default key size for req
* Fri Feb 14 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250214-1.gitff7551b
- openssl: use both names for P384-MLKEM1024
- gnutls: drop kyber (switching to leancrypto took it away)
- fips-mode-setup: remove (Changes/RemoveFipsModeSetup)
* Wed Jan 29 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250129-1.gite614154
- openssl: stop generating `openssl` in favour of `opensslcnf`
* Fri Jan 24 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250124-1.git4d262e7
- openssl: stricter enabling of Ciphersuites
- openssl: make use of -CBC and -AESGCM keywords
* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 20241128-2.gitbb7b0b0
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Thu Nov 28 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241128-1.gitbb7b0b0
- openssl, BSI: add TLS 1.3 Brainpool identifiers
* Tue Nov 26 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241126-1.gitbb3f7dc
- openssh: map mlkem768x25519-sha256 to KEM-ECDH & MLKEM768-X25519 & SHA2-256
- update-crypto-policies: don't output FIPS warning in fips mode
* Wed Nov 06 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241106-1.git35892de
- gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768
- nss: add mlkem768x25519
* Mon Nov 04 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241104-1.git4983c10
- openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768
* Mon Nov 04 2024 Miro HronĨok <mhroncok@redhat.com> - 20241018-2.gitce922cb
- Silence harmless error messages from %pre scriptlet
* Fri Oct 18 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241018-1.gitce922cb
- openssh, TEST-PQ: rename MLKEM key-exchange to MLKEM768
* Fri Oct 18 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241018-1.git66c17d1
- openssh: add support for sntrup761x25519-sha512 and mlkem768x25519-sha256
- TEST-PQ: enable sntrup761x25519-sha512 and mlkem768x25519-sha256 for openssh
* Thu Oct 10 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241010-1.git8baf557
- LEGACY: enable 192-bit ciphers for nss pkcs12/smime
- openssl: map NULL to TLS_SHA256_SHA256:TLS_SHA384_SHA384
* Fri Sep 27 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240927-1.git93b7251
- nss: be stricter with new purposes
* Wed Aug 28 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240828-1.git5f66e81
- fips-mode-setup: small Argon2 detection fix
* Mon Aug 26 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240826-1.gite824389
- SHA1: add __openssl_block_sha1_signatures = 0
* Thu Aug 22 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240822-1.git64c9381
- fips-mode-setup: block if LUKS devices using Argon2 are detected
* Wed Aug 07 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240807-1.git5795660
- fips-crypto-policy-overlay: a unit to automount FIPS policy when fips=1
- fips-setup-helper: add a libexec helper for anaconda
- fips-mode-setup: force --no-bootcfg when UKI is detected
* Fri Aug 02 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240802-1.git2e5e430
- nss: rewrite backend for nss 3.101
* Thu Jul 25 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240725-1.git9555558
- gnutls: wire X25519-KYBER768 to GROUP-X25519-KYBER768
- openssh: make dss no longer enableble, support is dropped
* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 20240717-2.git154fd4e
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Wed Jul 17 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240717-1.git154fd4e
- Changes/OpenSSLDistrustSHA1SigVer: implement, see below
- DEFAULT: switch to rh-allow-sha1-signatures = no...
- TEST-FEDORA41: reset to DEFAULT
- FEDORA40: introduce with the previous contents of DEFAULT
- nss: wire XYBER768D00 to X25519-KYBER768, not KYBER768
- TEST-PQ: disable KYBER768
* Tue Jul 16 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240715-2.gitf8b6a29
- fix running pre scriptlet in first transaction ever, pre-coreutils
* Mon Jul 15 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240715-1.gitf8b6a29
- BSI: Update BSI policy for new 2024 minimum recommendations
- java: use and include jdk.disabled.namedCurves
- ec_min_size: introduce and use in java, default to 256
- java: stop specifying jdk.tls.namedGroups in javasystem
- java: drop unused javasystem backend
* Fri Jun 28 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240628-1.gitddd11d3
- nss: wire KYBER768 to XYBER768D00
- java: start controlling / disable DTLSv1.0
- java: disable anon ciphersuites, tying them to NULL
- java: respect more key size restrictions
- java: specify jdk.tls.namedGroups system property
- java: make hash, mac and sign more orthogonal
- fips-mode-setup: add another scary "unsupported"
- fips-mode-setup: flashy ticking warning upon use
- BSI: switch to 3072 minimum RSA key size
* Tue May 21 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240521-1.gitf71d135
- nss: unconditionally include p11-kit-proxy
- TEST-PQ: update algorithm list, mark all PQ algorithms experimental
* Wed May 15 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240515-1.gita24a14b
- gnutls: use tls-session-hash option, enforcing EMS in FIPS mode
- gnutls: DTLS 0.9 is controllable again
- gnutls: remove extraneous newline
- openssh: remove support for old names of RequiredRSASize
* Wed Mar 20 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240320-1.git58e3d95
- modules/FEDORA32, FEDORA38, TEST-FEDORA39: drop
- openssl: mark liboqsprovider groups optional with ?
- TEST-PQ: add more group and sign values, marked experimental
- TEST-FEDORA41: add a new policy with __openssl_block_sha1_signatures = 1
- TEST-PQ: also enable sntrup761x25519-sha512@openssh.com
* Mon Mar 04 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240304-1.git0375239
- packaging: remove perl build-dependency, it's not needed anymore
- packaging: stop linting at check-time, relying on upstream CI instead
- packaging: drop stale workarounds
- libreswan: do not use up pfs= / ikev2= keywords for default behaviour
* Tue Feb 27 2024 Jiri Vanek <jvanek@redhat.com> - 20240201-2.git9f501f3
- Rebuilt for java-21-openjdk as system jdk
* Thu Feb 01 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240201-1.git9f501f3
- fips-finish-install: make sure ostree is detected in chroot
- fips-mode-setup: make sure ostree is detected in chroot
- java: disable ChaCha20-Poly1305 where applicable
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 20231204-3.git1e3a2e4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 20231204-2.git1e3a2e4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
Files
/usr/bin/update-crypto-policies
/usr/share/crypto-policies/python
/usr/share/crypto-policies/python/__pycache__
/usr/share/crypto-policies/python/__pycache__/build-crypto-policies.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/__pycache__/build-crypto-policies.cpython-314.pyc
/usr/share/crypto-policies/python/__pycache__/update-crypto-policies.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/__pycache__/update-crypto-policies.cpython-314.pyc
/usr/share/crypto-policies/python/build-crypto-policies.py
/usr/share/crypto-policies/python/cryptopolicies
/usr/share/crypto-policies/python/cryptopolicies/__init__.py
/usr/share/crypto-policies/python/cryptopolicies/__pycache__
/usr/share/crypto-policies/python/cryptopolicies/__pycache__/__init__.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/cryptopolicies/__pycache__/__init__.cpython-314.pyc
/usr/share/crypto-policies/python/cryptopolicies/__pycache__/alg_lists.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/cryptopolicies/__pycache__/alg_lists.cpython-314.pyc
/usr/share/crypto-policies/python/cryptopolicies/__pycache__/cryptopolicies.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/cryptopolicies/__pycache__/cryptopolicies.cpython-314.pyc
/usr/share/crypto-policies/python/cryptopolicies/alg_lists.py
/usr/share/crypto-policies/python/cryptopolicies/cryptopolicies.py
/usr/share/crypto-policies/python/cryptopolicies/validation
/usr/share/crypto-policies/python/cryptopolicies/validation/__init__.py
/usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__
/usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/__init__.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/__init__.cpython-314.pyc
/usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/alg_lists.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/alg_lists.cpython-314.pyc
/usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/general.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/general.cpython-314.pyc
/usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/rules.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/rules.cpython-314.pyc
/usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/scope.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/cryptopolicies/validation/__pycache__/scope.cpython-314.pyc
/usr/share/crypto-policies/python/cryptopolicies/validation/alg_lists.py
/usr/share/crypto-policies/python/cryptopolicies/validation/general.py
/usr/share/crypto-policies/python/cryptopolicies/validation/rules.py
/usr/share/crypto-policies/python/cryptopolicies/validation/scope.py
/usr/share/crypto-policies/python/policygenerators
/usr/share/crypto-policies/python/policygenerators/__init__.py
/usr/share/crypto-policies/python/policygenerators/__pycache__
/usr/share/crypto-policies/python/policygenerators/__pycache__/__init__.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/__init__.cpython-314.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/bind.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/bind.cpython-314.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/configgenerator.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/configgenerator.cpython-314.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/gnutls.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/gnutls.cpython-314.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/java.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/java.cpython-314.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/krb5.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/krb5.cpython-314.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/libreswan.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/libreswan.cpython-314.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/libssh.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/libssh.cpython-314.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/nss.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/nss.cpython-314.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/openssh.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/openssh.cpython-314.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/openssl.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/openssl.cpython-314.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/sequoia.cpython-314.opt-1.pyc
/usr/share/crypto-policies/python/policygenerators/__pycache__/sequoia.cpython-314.pyc
/usr/share/crypto-policies/python/policygenerators/bind.py
/usr/share/crypto