Hi, Kris Deugau <[email protected]> wrote:
> It should be possible to set options like this in /etc somewhere, which > shouldn't be overwritten on package upgrades. I'm not sure where > CentOS/RHEL/Fedora have put the relevant OpenSSL configuration recently, > but on Debian and derivatives this can be set in /etc/ssl/openssl.cnf. It is, the idea is to define exception in the system crypto policy used by the system. There is multiple ways to do this: [ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening ] See sections: - 3.5. Excluding an application from following system-wide crypto policies - 3.6. Customizing system-wide cryptographic policies with policy modifiers - 3.7. Creating and setting a custom system-wide cryptographic policy It's not as quick and simple as editing one configuration file, but this should not be too difficult to implement. The issue here is that this mechanism is new in Red Hat/CentOS 8 and some people may not be aware of it. Sincerely, -- Xavier Belanger
